The Information Commissioner’s Office (ICO) has found Lampeter Medical Practice to be in breach of the Data Protection Act, after an unencrypted memory stick containing the personal details of 8,000 patients was reported lost to the privacy watchdog.
In March 2010, a member of staff downloaded a database containing patient details in contravention of practice policy. The staff member downloaded the information on to an unencrypted and non password protected computer memory stick which was then posted by recorded delivery to the Health Boards Business Service Centre. The memory stick did not arrive at its intended destination and is now accepted to be lost.
Dr Rowena Mathew, Head of Practice of Lampeter Medical Practice, has agreed to take remedial action by ensuring that sufficient steps are taken to ensure a security breach doesn’t occur again. This includes ensuring all mobile devices including laptops and memory sticks are encrypted, ensuring physical security measures are sufficient and making staff fully aware of the organisations’ data security policy.
Sally-anne Poole, Enforcement Group Manager, said: “It is unnecessarily risky to download 8,000 personal details on to a memory stick. It is imperative that staff are made fully aware of an organisation’s policy for
securing personal data and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft. I am pleased Lampeter Medical Practice has agreed to take action to prevent a similar security breach happening again.”
A copy of the undertaking can be viewed here:
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
Source: Information Commissioner’s Office