Antony Sumara, the Chief Executive of Mid Staffordshire NHS Foundation Trust, has agreed to take action to comply with the Data Protection Act following a significant security breach. The breach occurred after a member of the Trust’s human resources team transferred personal information to a home computer. The information, known as a ‘Statement of Case’, contained sensitive personal details about an employee and two further documents. Some of the information related to the employee’s previous criminal conviction.
Investigators at the Information Commissioner’s Office (ICO) considered this security breach very carefully. The ICO found that the information in question was not password or encryption protected and that the Trust had breached the Data Protection Act by failing to comply with security requirements. Antony Sumara has signed an Undertaking with the ICO pledging to adopt a wide range of security improvements, including the introduction of new rules for staff concerning personal information when working at home. The Undertaking notes that, after discovering the breach had occurred, the Trust initially ‘failed to demonstrate appropriate urgency’ to secure the data concerned. Should data security breaches be suspected in the future, the Trust has pledged to take appropriate remedial action as soon as is practicable to recover, or prevent access to, any data rendered insecure.
Mick Gorrill, Assistant Information Commissioner, said: “I strongly advise organisations to avoid instances where employees can download and transfer personal information to home computers. This incident should never have occurred and could easily have been averted. If personal details fall into the wrong hands, individuals can experience considerable distress. It is vital that personal information is handled securely, especially where sensitive personal information, such as conviction data is concerned. I am pleased that the Trust is taking remedial action to guard against security breaches of this nature.”