"We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal."

The ICO said that the Trust had been unable to explain how the contractor given the job of destroying the drives was able to remove such a large number from the hospital building where they were being stored without being detected. The task of disposing of the drives should have been supervised to ensure security.

"The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations - both public and private - of the importance of keeping personal information secure," said ICO deputy commissioner and director of data protection, David Smith.

"That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff."

The problematic dimension of this breach for the ICO will have been the sheer number of hard drives lost and the sensitivity of the data they contained including National Insurance numbers, addresses, and even notes on criminal convictions.