ICO says NHS puts records at risk

Thursday, July 16, 2009

Five more NHS trusts have been found in breach of the Data Protection Act (DPA) by the Information Commissioner's Office (ICO), with one trust leaving notes on a bus.

Some of the information involved in the latest of a long list of data breaches by the NHS was classified as "sensitive personal data", which could include information on previous offences committed or investigated for.

The five trusts found in breach were the Royal Free Hampstead NHS Trust, Chelsea and Westminster Hospital Foundation Trust, Epsom and St Helier University Hospital NHS Foundation Trust, Surrey and Sussex NHS Trust and Hampshire Partnership NHS Trust.

Royal Free reported the loss of an unencrypted compact disc initially thought to contain medical treatment details of 20,000 patients from the hospital's cardiology department. The trust has since reported to the ICO that it cannot be precise about the information contained on the disc.

Chelsea and Westminster reported the theft of an unencrypted memory stick containing 143 patient details including sensitive medical information. The trust believes the information was stolen from an unlocked office that was being used as a walk-in clinic. The memory stick was not password protected or encrypted, and an employee had been taking it home for use on his personal computer.

Epsom and St Helier was in breach after it was discovered that it was storing hospital records insecurely for nearly two years following data being transferred between hospitals.

Surrey and Sussex breached the DPA twice. A ward handover sheet, containing information relating to 23 patients in the care of the trust, was found on a bus. The trust also reported the theft of two laptop computers. Although they were kept behind three locked doors, they were not encrypted.

Hampshire reported the theft of an unencrypted laptop computer holding the personal data of 349 patients and 258 staff. The laptop was stolen from an employee attending a health conference.

The ICO said the trusts have agreed to implement the appropriate security measures to ensure that personal details are properly protected by establishing physical safeguards, such as locking an office. Staff will be appropriately trained on the policy for storage and how to follow that policy. Laptops, mobile and portable devices held by Royal Free, Chelsea and Westminster and Hampshire will be password protected and encrypted.

Sally-anne Poole, head of enforcement and investigations at the ICO, said: "These five cases serve as a reminder to all NHS organisations that sensitive patient information is not always being handled with adequate security. It is important that staff adhere to policies designed to protect individuals' sensitive information.

"Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them. Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands."