From the press release (pdf) from the Information Commissioner’s Office (ICO):
The Information Commissioner’s Office (ICO) has taken enforcement action against Hastings and Rother Primary Care Trust (PCT) following a breach of the Data Protection Act.
This is the eighth time the ICO has taken enforcement action against an NHS organisation for breaching the Data Protection Act since November 2008.
A computer was stolen from Hastings and Rother PCT containing sensitive personal information on patients. The building, where the computer was kept, did not have adequate security measures in place and the data controller had previously expressed concern over the lack of physical security.
The ICO has required Hastings and Rother PCT to sign a formal Undertaking outlining that it will process personal information in line with the Data Protection Act. The PCT will ensure staff are adequately trained and will encrypt all office equipment and mobile devices used to store and transmit personal information.
Mick Gorrill, Assistant Information Commissioner at the ICO, said: “The stolen computer contained sensitive health information on patients. The PCT should handle all personal information, particularly sensitive details, in compliance with the Data Protection Act. I am increasingly concerned about the way some NHS organisations are failing to securely hold people’s health and personal information. Organisations must implement appropriate safeguards to ensure personal details about patients are processed securely.”
Failure to meet the terms of the Undertaking is likely to lead to further enforcement action by the ICO. A copy of the Undertaking can be downloaded here:
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx