The Information Commisioner’s Office has taken enforecment action against two NHS trusts for data losses that placed them in breach of the Data Protection Act.

The ICO found Abertawe Bro Morgannwg University NHS Trust and Tees, Esk and Wear Valleys NHS Foundation Trust were both in breach of the DPA for failing to secure patient data.

The two trusts have been required to sign formal Undertakings outlining that they will process personal information in the future. Failure to meet the terms of the Undertaking is likely to lead to further enforcement action by the ICO.

An unencrypted laptop containing the sensitive personal data of approximately 5,000 patients, including some health records, was stolen from the Abertawe Bro Morgannwg University NHS Trust.

Tees, Esk and Wear Valleys NHS Foundation Trust lost an unencrypted memory stick containing sensitive personal information relating to patients and Trust staff. The data stick was later returned to the trust.

The trusts will now implement a number of security measures to protect personal information more effectively. With immediate effect, all portable and mobile devices used to store and transmit personal data will be encrypted.

Mick Gorrill, Assistant Information Commissioner at the ICO, said: “Both these cases highlight the importance of implementing the appropriate safeguards to ensure sensitive personal details about patients are processed securely. Even though one case involved the theft of a laptop, the data controller (Abertawe Bro Morgannwg University NHS Trust) is responsible for ensuring any personal data is adequately protected.”

At the end of November the ICO found two Scottish Health Boards, NHS Tayside and NHS Lanarkshire, in breach of the DPA and required them to sign similar Undertakings.


The Undertakings

NHS Tayside and Lanarkshire guilty of data breaches