Glyn Wintle, 16 July 2009
The Information Commissioner’s Office (ICO) is issuing further warnings to NHS bodies about the importance of data security, after finding five more NHS organisations in breach of the Data Protection Act.Source: The Information Commissioner's Office (PDF)In one case, a ward hand-over sheet containing notes about patients' health was left on a bus. The Royal Free Hampstead NHS Trust reported the loss of an unencrypted compact disk initially thought to contain medical treatment details of 20,000 patients from the hospital’s cardiology department. The Trust has since reported to the ICO that it cannot be precise about the information contained on the disk. Chelsea and Westminster Hospital Foundation Trust reported the theft of an unencrypted memory stick containing 143 patient details including sensitive medical information. The Trust believes that the information was stolen from an unlocked office that was being used as a walk-in clinic. The memory stick was not password protected or encrypted, and an employee had been taking it home for use on his personal computer.
It emerged that Epsom and St Helier University Hospital NHS Foundation Trust was storing hospital records insecurely for nearly two years following data being transferred between hospitals. A ward handover sheet, containing information relating to 23 patients in the care of Surrey and Sussex NHS Trust, was found on a bus. The Trust also reported the theft of two laptop computers. Although they were kept behind three locked doors, they were not encrypted.
Hampshire Partnership NHS Trust informed the ICO about the theft of an unencrypted laptop computer holding the personal data of 349 patients and 258 staff. The laptop was stolen from an employee attending a health conference. Some of the information was classified as sensitive personal data as defined in Section 2 of the Act. The NHS bodies have agreed to implement the appropriate security measures to ensure that personal details are properly protected by establishing physical safeguards, such as locking an office. Staff will be appropriately trained on the policy for storage and how to follow that policy. Laptops, mobile and portable devices held by The Royal Free Hampstead NHS Trust, Chelsea and Westminster Hospital NHS Foundation Trust and Hampshire Partnership Trust will be password protected and encrypted.
