The Information Commissioner’s Office (ICO) has found the University Hospital of South Manchester NHS Foundation Trust in breach of the Data Protection Act (DPA) after losing an unencrypted USB key containing patients’ personal data.
Sensitive personal information relating to the treatment of 87 patients at the hospital was lost after a medical student copied data onto a personal, unencrypted memory stick – provided by the Trust – for research purposes.
The student was on a placement at the hospital’s burns and plastics department at the time, and lost the stick during another placement in December 2010.
Following an investigation, the ICO found that the hospital did not provide students with induction training, including DPA-related training, which it gave to its own staff. The hospital assumed that the student had received data protection training at medical school.
The University Hospital of South Manchester has now signed an undertaking to ensure that all students are aware of data protection policies, to keep personal information accessed by students secure.
Sally Anne Poole, acting head of enforcement at the ICO, said: “This case highlights the need to ensure data protection training for healthcare providers is built in early on, so that it becomes second nature.
“NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job.”
Separately, the London Ambulance Service NHS Trust has also today signed an undertaking after it was found to have breached the DPA when a personal, unencrypted laptop was stolen from a contractor’s home.
The laptop contained personal data and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. However, it did not contain medical records.
Although the contractor had legitimate access to the records, the member of staff had emailed them to a personal account for working from home, which led to the breach of the Trust’s policy, and then downloaded the information onto a personal, unencrypted laptop.
The London Ambulance Service has now agreed to ensure that all staff are made aware of the Trust’s data protection policies.