"The NMC, which is the regulator for over 660,000 registered nurses and midwives across the United Kingdom, was issued the £150,000 civil monetary penalty for breaching the Data Protection Act," writes PublicTechnology's Andy Price. "The breach came when the council lost three DVDs relating to a nurse's misconduct hearing, which contained confidential personal information and evidence from two children."
"The information required for the hearing was packaged in the NMC offices and collected by a courier on 7 October," Infosecurity reports. "They were delivered to the hotel three days later. The packages showed no sign of tampering, but the DVDs were missing and have never been found. The problem as far as the ICO is concerned is that they were unencrypted. "
"The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk," Deputy Commissioner and Director of Data Protection David Smith said in a statement. "No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered."
"The ICO levied the fine because the council had failed to take appropriate precautions to prevent such a data breach, it said, and because the nature of the data meant the breach was 'likely to cause substantial distress," writes Information Age's Pete Swabey.