Monthly Archives: October 2009

Ashford & St Peter’s Hospitals NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
A number of records.

Why
Three unencrypted USB memory sticks were lost or stolen over a period of several weeks between 28 May and 26 June 2009.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action

The USB sticks were unencrypted and their loss was not formally reported to the data controller’s management until after the third incident in lane June 2009. The investigation into these incidents revealed a lack of understanding and awareness among staff of the requirements of data protection legislation. It was also revealed that staff had not received any formal data protection training.

When
20 October 2009

Links
View PDF of the Ashford & St Peter’s Hospitals NHS Trust Undertaking (Breach Watch Archive)

Maidstone and Tunbridge Wells NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 33 records.

Why
An unencrypted laptop was stolen from the Audiology Department. Three other encrypted laptops belonging to the data controller had also been stolen a month prior.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that within six months any personal data held on a laptop computer or any other removable media by the data controller is identified and encrypted.

Reason for action

Sensitive data was transferred to the memory stick in breach of Council procedure and was not password protected. The employee intended to use the data to work at home, but lost it during his commute.

When
16 October 2009

Links
View PDF of the Maidstone and Tunbridge Wells NHS Trust Undertaking (Breach Watch Archive)

Glouchestershire Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 2,270 records.

Why
Six unencrypted desktop computers containing personal data relating to 2,270 patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The computers were password protected but not encrypted. The patient data should have been held on a local server rather than on the hard drives of the stolen computers.

When
15 October 2009

Links
View PDF of the Glouchestershire Primary Care Trust Undertaking (Breach Watch Archive)

Mid Staffordshire NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
About three records.

Why
A member of the trust’s HR department saved a “Statement of Case” on a home computer in contravention of trust policy.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are adequate to prevent unauthorised access to personal data. The policy covering the storage and use of personal data must be followed by staff, especially when working from home. Trust policies must be amended to include explicit reference to staff data in terms of protecting personal information. Portable media devices must be suitably encrypted.

Reason for action
The information on the computer had not been password protected or encrypted. The Trust initially failed to demonstrate appropriate urgency in the securing of the data concerned.

When
2 October 2009

Links
View PDF of the Mid Staffordshire NHS Foundation Trust Undertaking (Breach Watch Archive)