A press release from the UK’s Information Commissioner’s Office (ICO) reveals two privacy breaches resulting in agreements to take remedial and proactive steps.
The University Hospital of South Manchester NHS Foundation Trust breached the Data Protection Act by losing sensitive personal information relating to the treatment of 87 patients. The information was lost after a medical student – who had been on a placement at the hospital’s Burns and Plastics Department – copied data onto a personal, unencrypted memory stick for research purposes. The memory stick was then lost by the student during a subsequent placement in December last year. According to details provided in the undertaking, the personal data on the memory stick included patient name, age, occupation and details of the operation, specifically hand surgery.
The ICO’s investigation uncovered that the hospital had assumed that the student had received data protection training at medical school and therefore did not provide them with the induction training given to their own staff. The hospital has now agreed to take significant steps to ensure that the personal information accessed by students working at the hospital is kept secure. This includes making sure all students are aware of data protection policies.
In an unrelated incident, a second undertaking has been signed by the London Ambulance Service who breached the Data Protection Act after a personal laptop was stolen from a contractor’s home. The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. the employee had emailed the information to a personal account and then downloaded it to his home computer, which was not encrypted. The laptop contained personal data relating to patients including name, address, date of birth, NHS numbers and accessibility requirements for transportation. It did not contain medical records or diagnosis information.