On the 7th September, The Information Commissioner’s Office (ICO) announced the results of its investigation into The University Hospital of South Manchester NHS Foundation Trust breached the Data Protection Act after it lost the personal data of 87 patients.
The information was lost after a medical student, who had been on a placement at the hospital’s Burns and Plastics Department, copied data onto a personal, unencrypted memory stick for research purposes. The student then lost the memory stick during a subsequent placement in December last year.
The ICO’s investigation uncovered that the hospital had “assumed” that the student had received data protection training at medical school and therefore did not provide them with the induction training given to their own staff.
Sally Anne Poole, Acting Head of Enforcement said: “This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature. Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff, both permanent and temporary, understands their responsibilities on day one in the job.
“While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education.”
The London Ambulance Service who breached the Data Protection Act after a personal laptop was stolen from a contractor’s home agreed a further undertaking. The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. The Trust has now taken action to ensure that contractors are made aware of its existing policy on the use of personal data, which states that staff should not store patients’ information on their personal computers.
The list of ICO actions during the last 3 months is below:-
7 September 2011
- An undertaking to comply with the seventh data protection principle has been signed by London Ambulance Service NHS Trust. This follows the theft of a personal unencrypted laptop containing patient data.
- An undertaking to comply with the seventh data protection principle has been signed by University Hospital of South Manchester NHS Foundation Trust. This follows the loss of an unencrypted memory stick containing personal information relating to approximately 87 patients.
2 September 2011
- An undertaking to comply with the seventh data protection principle has been signed by the Scottish Children’s Reporter Administration. This follows the sending of an email containing sensitive personal data relating to a child’s court hearing to an unknown third party and the temporary loss of 9 case files relating to the safety and welfare of children during an office move.
- An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council. This follows a self reported breach concerning a flaw in the encryption function of a number of Council issue memory sticks. The flaw could allow memory sticks to be formatted removing encryption protection.
10 August 2011
- An undertaking to comply with the seventh principle of the DPA has been signed by the London Borough of Greenwich. This follows two incidents where sensitive personal data was inadvertently disclosed, due to the Council’s failure to implement appropriate wording in their ICT policy, stating that the sending of sensitive personal data in business related emails to external webmail addresses should be avoided.
9 August 2011
- An Undertaking to comply with the seventh data protection principle has been signed by Lush Cosmetics Ltd. This follows a malicious intrusion on their website which compromised approximately 5000 customer credit cards.
8 August 2011
- An undertaking to comply with the seventh data protection principle has been signed by Bay House School after the personal details of nearly 20,000 individuals, including some 7,600 pupils, were put at risk during a hacking attack on its website.
5 August 2011
- An undertaking to comply with the seventh data protection principle has been signed by HCA International Limited. This follows the theft of two unencrypted laptops containing sensitive personal data from one of the group’s hospitals in March.
4 August 2011
- An undertaking to comply with the seventh data protection principle has been signed by the Chief Executives of Lewisham Homes Limited (the ICO website has Lewisham Council listed which is in correct) and Wandle Housing Association. This follows the discovery of an unencrypted USB stick containing thousands of tenant records and financial data in a London pub.
29 July 2011
- An undertaking to comply with the seventh data protection principle has been signed by Kirklees Metropolitan Council. This follows the inappropriate disclosure of personal data by care workers contracted by Kirklees Metropolitan Council.
20 July 2011
- An undertaking to comply with the seventh data protection principle has been signed by the University of York after it failed to close a test area on its website that contained thousands of students’ personal details. While no direct link was available for the test area from the University’s website, 148 records were inappropriately accessed.
19 July 2011
- An undertaking to comply with the seventh data protection principle has been signed by Lancashire Police Authority (LPA). This follows the inappropriate disclosure of personal data on the LPA’s website containing sensitive personal data.
18 July 2011
- An undertaking to comply with the seventh data protection principle has been signed by Northamptonshire Healthcare NHS Foundation Trust. This follows the loss of one individual’s medical records.
5 July 2011
- An undertaking to comply with the seventh data protection principle has been signed by Ms Raisa Saley, Barrister at law, further to the loss of a bundle of court papers which containeded a considerable volume of sensitive personal data relating to a number of individuals from the same family.
1 July 2011
- An undertaking to comply with the seventh data protection principle has been signed by Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient.
- An undertaking to comply with the seventh principle of the DPA has been signed by Dunelm Medical Practice, further to the inappropriate facsimilie transmission and subsequent disclosure of two patient’s electronic discharge letters, which contained sensitive personal data, including medical information.
- An undertaking to comply with the seventh data protection principle has been signed by East Midlands Ambulance Service NHS Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient..
- An undertaking to comply with the seventh data protection principle has been signed by the Ipswich Hospital NHS Trust. This follows the discovery of 29 patient records containing sensitive personal data in a public place.
- An undertaking to comply with the seventh data protection principle has been signed by Lancashire Teaching Hospitals NHS Foundation Trust. This follows the faxing of sensitive personal data to a member of the public on more than one occasion.
28 June 2011
- An undertaking to comply with the seventh data protection principle has been signed by Cherubs Community Playgroup. This follows the theft of an unencrypted laptop containing personal information relating to approximately 47 families.
14 June 2011
- An undertaking to comply with the seventh data protection principle has been signed by CCTV monitoring website Internet Eyes Limited. This follows a complaint about a clip posted on video sharing website YouTube that contained an identifiable image of a person in a shop. The clip appeared to have been uploaded by a viewer who had used the CCTV footage streamed to their computer from the Internet Eyes website.
- An undertaking to comply with the seventh data protection principle has been signed by Surbiton Children’s Centre Nursery. This follows the theft of a teacher’s bag containing an unencrypted memory stick and paperwork.
8 June 2011
- An undertaking to comply with the seventh data protection principle has been signed by North Lanarkshire Council. This follows the theft of hard copy documents containing sensitive personal data.
The Commissioner was also very busy prior to the dates above but for the purposes of consolidation I have only included the last 3 Months worth.
.