A third English NHS organisation in the space of a month has been required to take enforcement action by the Information Commissioner’s Office.

The latest action has been taken against Brent Teaching Primary Care Trust, over the theft of two laptops containing personal information about 389 patients.

Mick Gorrill, assistant information commissioner at the ICO, said: “I am increasingly concerned about the way some NHS organisations are transferring sensitive records onto laptops and other mobile devices that are not encrypted.”

The laptops were stored in a locked office, but were left out on a desk in breach of the PCT’s own security procedures. The equipment was not encrypted and contained sensitive information.

The ICO has required Brent PCT to sign a formal undertaking outlining that it will process personal information in line with the Data Protection Act.

Abertawe Bro Morgannwg University NHS Trust and Tees, Esk and Wear Valleys NHS Foundation Trust were required to sign similar agreements in January.

In November 2008, two Scottish health boards, NHS Tayside and NHS Lanarkshire, were also required to sign an agreement to comply with the DPA or face possible future prosecution

Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO.