[k-mcgrady]

My last sentence stated that the NHS should hold the people who screwed up responsible or fix the broken systems that allowed this to take place. As I said a fine is of no benefit to the public and prosecution would only be used in repeat or intentional breaches of the DPA (which I'm guessing this wasn't). Therefore it's up to the NHS to sort out the problem within their organisation.

>> I work in a craft studio and face a large fine - so I'm told - if I reveal personal data, or make that possible

I'm guessing you're subject to the exact same process the NHS has went through here. The only reason you would be more likely to receive the fine is because it makes sense as you're not funded by the taxpayer. Fining the NHS is in effect fining the taxpayer for breaching the rights of the taxpayer. It's the same reason the police and other public bodies don't often get fined.