The Information Commissioner’s Office has told two different Scottish NHS bodies they must tighten data security after a series of data breaches.

In one incident, a senior nursing manager in NHS Grampian inappropriately emailed 50 staff with sensitive personal details relating to a patient.

In another incident, NHS Education for Scotland had a laptop containing the unencrypted personal information of 6,377 applicants for medical training positions stolen. The information included names, addresses, phone numbers and personal details of the applicants.

Malcolm Wright, chief executive of the agency, has signed an undertaking to make sure his organisation take steps to secure personal information in the future.

Ken Macdonald, assistant information commissioner – Scotland – said: “Password protected laptops are not secure. I urge all organisations to restrict and encrypt the amount of personal information stored on portable devices that can be taken off site.”

The undertaking also commits NES to ensuring that staff are aware of the policy for the storage and use of personal data and are appropriately trained on how to follow that policy.

NHS Grampian has also committed to improve data security after the ICO received reports of three separate data breaches, including the email incident. Lack of secure storage on the labour ward also enabled someone to remove the personal details of 200 patients from a confidential waste sack.

And a laptop containing details of patients in the gastroenterology clinic was stolen from a locked office. The laptop was not encrypted and contained personal data on 1,500 patients with an unspecified disease.

The ICO said that its investigations revealed that staff, patients and visitors could have had access to confidential waste, and that many staff have not been aware of the correct procedures for disposing of such material.

It is also clear that some staff have been using home computers for work-related tasks involving personal information and using USB sticks to transfer the work, contravening the organisation’s own policies and procedures.

Macdonald said: “Details about people’s physical and mental health are sensitive personal data. It is vital that organisations handle personal information securely, especially where patients’ details are concerned.”