Loss of sensitive personal data.
A desktop computer containing health data relating to a number of patients was stolen.
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data, whether on the data controller’s premises or those of another organisation. All staff must receive adequate data protection training.
Reason for action
It is believed that the computer was stolen by an opportunistic thief who entered the building via scaffolding that was not normally in place. The data controller did not own this building, but had not taken measures to safeguard the personal data held on the premises.
23 January 2009