Mid Staffordshire NHS Foundation Trust

What
Loss of sensitive personal data.

How much
About three records.

Why
A member of the trust’s HR department saved a “Statement of Case” on a home computer in contravention of trust policy.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are adequate to prevent unauthorised access to personal data. The policy covering the storage and use of personal data must be followed by staff, especially when working from home. Trust policies must be amended to include explicit reference to staff data in terms of protecting personal information. Portable media devices must be suitably encrypted.

Reason for action
The information on the computer had not been password protected or encrypted. The Trust initially failed to demonstrate appropriate urgency in the securing of the data concerned.

When
2 October 2009

Links
View PDF of the Mid Staffordshire NHS Foundation Trust Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500