Loss of sensitive personal data.
Two unencrypted laptops containing sensitive personal data relating to 389 patients were stolen from a locked office.
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data. All such mobile devices must be encrypted, Staff must be adequately trained on the data controller’s information security policies.
Reason for action
The laptops were unencrypted and although the office was locked they were left out on a desk with no further physical security measures taken, contrary to the Trust’s own security policy.
19 January 2009