HCA International Ltd, a private health company, has been fined £200,000.00 by the Information Commissioner’s Office (“ICO”) because they failed to keep fertility patients’ personal information secure.
The fine followed an investigation by the ICO into the way that the Lister Hospital was storing, transcribing and transferring records they held about patient IVF appointments.
The hospital in question is one of a number forming a worldwide network of private health care facilities where patients can benefit from various services, including fertility treatment. The problem came to light in April 2015 when a patient at the hospital discovered that transcripts which included details of interviews with IVF patients were freely available by online search.
The ICO’s investigation found that the hospital had been freely sending audio records of interviews, which were unencrypted, to a company in India via email since 2009. These records were transcribed in India before being returned to the hospital and contained private conversations between doctor and patients who wished to undertake fertility treatment.
During its investigation the ICO found that the company in India stored the audio files and transcripts on an unsecured server and as such they could not restrict access to the personal information stored.
It was found that HCA International had breached the Data Protection Act 1998 by their failure to ensure that their sub-contractor acted responsibly.
Whilst this fine is far from insignificant, bear in mind that when the General Data Protection Regulation (known as “GDPR”) comes into force in the UK on 25th May 2018, then the ICO’s fining powers will be strengthened and extended. Fines of up to four per cent of global turnover or €20 million, whichever is the greater, may be imposed from that time.
By Daniel Gardener
Subject to our terms and conditions and copyright policy.