Loss of sensitive personal data.
About 1,000 records.
An unencrypted computer containing the personal data of around 1,000 patients was stolen.
Undertaking issued to ensure that all portable media devices and computers used to store or transport personal data are suitably encrypted. A data protection policy must be drafted and all staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.
Reason for action
It was not possible to notify the patients affected by the theft as the data on the computer was not separately backed up. Further enquiries revealed that the data controller did not have in place appropriate policies and procedures with regards to data protection matters.
8 September 2009