ICO doesn't have that power. They can prosecute people but only if they've deliberately breached the DPA and that doesn't seem to be the case here. The NHS should definitely hold the people responsible to account though.
So, the system for protection of personal data in the NHS is broken then - if managers can choose to flout the law without any personal repercussions then that law is useless.
IIRC you have to have a license to work with certain types of data, that person/those people need to lose grades to the point they have no controlling decision with respect to personal data. It shouldn't be up to their colleagues whether they get held responsible.
I work in a craft studio and face a large fine - so I'm told - if I reveal personal data, or make that possible ... because perish the thought someone could learn you painted a piece of pottery, but reveal personal health information against patient wishes and nothing happens?
My last sentence stated that the NHS should hold the people who screwed up responsible or fix the broken systems that allowed this to take place. As I said a fine is of no benefit to the public and prosecution would only be used in repeat or intentional breaches of the DPA (which I'm guessing this wasn't). Therefore it's up to the NHS to sort out the problem within their organisation.
>> I work in a craft studio and face a large fine - so I'm told - if I reveal personal data, or make that possible
I'm guessing you're subject to the exact same process the NHS has went through here. The only reason you would be more likely to receive the fine is because it makes sense as you're not funded by the taxpayer. Fining the NHS is in effect fining the taxpayer for breaching the rights of the taxpayer. It's the same reason the police and other public bodies don't often get fined.
Punitive punishment does nothing to stop bad practice from happening. It does make sure that people who make mistakes cover them up.
We especially do not want that in NHS organisations[1] - we want people to freely and openly admit to mistakes made.
[1] I gently dislike it when people say "The NHS" - that's not a thing, and it hasn't existed for many years now. There are 4 NHSs in the UK, and each of those is made up of a bunch of smaller organisations that have little connection to the rest.
In this situation "The NHS" did nothing. One hospital trust made this decision. Many other NHS trusts (and the Caldicott Guardians) were alarmed by the decision.
IIRC you have to have a license to work with certain types of data, that person/those people need to lose grades to the point they have no controlling decision with respect to personal data. It shouldn't be up to their colleagues whether they get held responsible.
I work in a craft studio and face a large fine - so I'm told - if I reveal personal data, or make that possible ... because perish the thought someone could learn you painted a piece of pottery, but reveal personal health information against patient wishes and nothing happens?