The Information Commissioner’s Office has issued further warnings to NHS bodies about the importance of protecting data, after revealing that another five trusts have breached the Data Protection Act.
The breaches were made by three London trusts – The Royal Free Hampstead, Chelsea and Westminster Hospital and Epsom and St Helier University Hospital – and two southern trusts – Surrey and Sussex Healthcare and Hampshire Partnership.
The Royal Free took more than five months to report the loss of an unencrypted CD, which is believed to contain the medical treatment details of more than 20,000 patients. However, the member of staff who lost the disk is unable to recall what was on it or any of the circumstances surrounding its loss.
The breach at Surrey and Sussex occurred after a ward handover sheet containing information relating to more than 23 patients was left on a bus.
Two unencrypted laptops were also stolen from the trust, even though they were supposedly secured behind three locked doors. An investigation revealed staff at the trust had “poor knowledge of the requirement to store data relating trust business on network drives.”
Chelsea and Westminster reported the theft of an unencrypted USB memory stick, which contained 143 patient details, from an unlocked office that was being used as a walk-in clinic.
A member of staff from the Hampshire Partnership NHS Trust had a laptop stolen at a London healthcare conference, which held details of hundred of patients and staff. And Epsom and St Helier was reprimanded for storing hospital records insecurely for nearly two years.
Sally-Anne Poole, head of enforcement and investigations at the ICO, said: “These five cases serve as a reminder to all NHS organisations that sensitive patient information is not always being handled with adequate security. It is important that staff adhere to policies designed to protect individuals’ sensitive information.
“Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them. Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands.”
Each of the trusts has now signed an undertaking to abide by particular aspects of the Data Protection Act, to avoid enforcement action.
The undertakings commit the trusts to a range of actions, such as ensuring that all portable devices must be encrypted using software that meets the current standard, that physical security measures are adequate enough to prevent unauthorised access and that the policy covering the storage and use of personal data is adhered to by staff.