Ashford & St Peter’s Hospitals NHS Trust

What
Loss of sensitive personal data.

How much
A number of records.

Why
Three unencrypted USB memory sticks were lost or stolen over a period of several weeks between 28 May and 26 June 2009.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action

The USB sticks were unencrypted and their loss was not formally reported to the data controller’s management until after the third incident in lane June 2009. The investigation into these incidents revealed a lack of understanding and awareness among staff of the requirements of data protection legislation. It was also revealed that staff had not received any formal data protection training.

When
20 October 2009

Links
View PDF of the Ashford & St Peter’s Hospitals NHS Trust Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500