NHS Lothian

What
Loss of personal data.

How much
162 records.

Why
A document wallet containing 25 paper files was temporarily left in a shop. In a second incident an unencrypted USB memory stick was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Network systems are to be introduced to prevent the use of unauthorised personal memory devices to download personal data being processed by NHS Lothian. Measures must be taken to ensure the physical security of all paper files containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it. Compliance with these policies must be monitored.

Reason for action
The USB memory stick was unencrypted and was the personal property of an employee. In both cases the employees failed to comply with NHS Lothian security requirements.

When
21 July 2009

Links
View PDF of the NHS Lothian Undertaking (Breach Watch Archive)