Loss of sensitive personal data.
An unencrypted disc containing patient information was discovered to be missing.
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.
Reason for action
The disc was not encrypted and the member of staff responsible for downloaded the data was believed to have known of its loss for five months before reporting it. It’s whereabouts and the precise circumstances regarding its loss are unknown.
8 June 2009