An NHS board breached data protection rules when a member of staff lost sensitive patient records, an investigation has found.
The medical records of patients at a secure hospital near Falkirk were uploaded onto a personal memory stick, which was then lost. It was found by a 12-year-old boy in a supermarket car park in May.
NHS Forth Valley has agreed a number of measures to prevent such a loss happening again.
The USB stick reportedly contained the criminal histories of some violent patients as well as details about staff at the Tryst Park unit at Bellsdyke Hospital.
The centre provides care for adults with severe mental health problems.
A member of staff was suspended after the unencrypted stick was handed to a newspaper.
Read more on BBC.
The Information Commissioner’s Office (ICO) issued the following statement:
The Information Commissioner’s Office (ICO) has found the Forth Valley NHS Board in breach of the Data Protection Act (DPA) after the loss of sensitive personal data relating to Board staff and patients.
The ICO was informed that an unencrypted memory stick with no password protection and containing personal information held by the Forth Valley NHS Board had been handed in to the press. Enquiries established that the information had been uploaded by a member of staff onto a personally owned memory stick that was then lost or stolen.
Ken Macdonald, Assistant Commissioner for Scotland at the ICO said: “This case highlights the importance of health bodies complying with the Data Protection Act when storing and transferring patients’ sensitive personal information. All staff members should be fully aware of the policies and procedures in place to safeguard personal information to stop it falling into the wrong hands. I am pleased the organisation is taking remedial steps to ensure such an incident does not happen again.”
Fiona Mackenzie, Chief Executive Officer of the Forth Valley NHS Board, has signed a formal undertaking outlining that the organisation will only use portable and mobile devices issued by the Board to process personal data. All staff members will be fully aware of the policies and procedures in place to safeguard personal information and will be appropriately trained to follow those policies. The Board will also implement a number of security measures to protect personal information more effectively, including physical security measures to prevent the upload of Board data onto any unauthorised mobile device.
A full copy of the undertaking can be found here:
http://www.ico.gov.uk/Home/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings