Imperial breaches the DPA

Imperial College Healthcare NHS Foundation Trust has become the latest NHS organisation to be required to sign an undertaking not to breach the Data Protection Act by the Information Commissioner’s Office.

The undertaking says six laptops were stolen in two burglaries at St Mary’s Hospital, one of which was unencrypted even though it held patient details. An employee also lost paper records containing the details of 6,000 patients from a cycle pannier.

The trust has now undertaken to improve its physical security, ensure that all devices that hold personal data are encrypted and make staff aware of its policies.

The Information Commissioner’s Office has also required NHS Lothian to sign an undertaking not to breach the DPA following an incident in June 2008 in which an employee lost a USB stick full of letters to Edinburgh GPs.

The undertaking says that the USB stick was the “personal property” of the employee and “should not have been used to store NHS Lothian data.”

Since the incident, the trust has run a USB stick amnesty and invested in its own, encrypted sticks, backed up by Lumension Security’s Sanctuary Device Control.

NHS National Services Scotland recently awarded a £1m contract to Lumension to nationally enforce security policies governing the storage of data.