Category Archives: NHS

NHS Birmingham East and North

Posted on by

What

Sensitive personal information kept insufficiently secure.

How much

“Thousands” of records.

Why

The data controller realised that its own employees could access restricted information relating to patients.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technical security measures are adequate to ensure the security of data.

Reason for action

The data controller brought the matter to the attention of the Data Commissioner. Although this data was only accessible internally it was felt that this displayed inadequate security.

When

20 April 2011.

Links

View PDF of the NHS Birmingham East and North Undertaking (Via ICO Website)

View PDF of the NHS Birmingham East and North Undertaking (Breach Watch Archive)

University College London Hospitals NHS Foundation Trust

Posted on by

What

Loss of sensitive personal data.

How much

750 records.

Why

Loss of an unencrypted memory stick.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are sufficiently encrypted and that staff are trained in the transportation of such data.

Reason for action

Sensitive personal information should never have been transported off site in an unencrypted media device.

When

15 April 2011.

Links

View PDF of the University College London Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the University College London Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

NHS Liverpool Community Health

Posted on by

What

Loss of sensitive personal information.

How much

31 records

Why

Files were transported in uncollected crates by a removal company which the data controller did not have a contract with.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that written contracts are used whenever third parties might have access to sensitive data and that clear and precise policies will be put into place for how to transport data while moving offices .

Reason for action

Contradictory instructions given to staff members by the removal company lead to confusion as to how the data could be transported, leading to errors made due to short notice.

When

11 April 2011.

Links

View PDF of the NHS Liverpool Community Health Undertaking (Via ICO Undertaking)

View PDF of the NHS Liverpool Community Health Undertaking (Breach Watch Archive)

Royal Cornwall Hospitals NHS Trust.

Posted on by

What

Inappropriate disclosure of personal information on two separate occasions.

How much

Two records.

Why

The information was sent out in response to a third party Subject Access Request, inappropriately.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made familiar with procedures and policies relating to Subject Access Requests.

Reason for action

Insufficient training combined with a large volume of subject access requests lead to the error.

When

04 April 2011.

Links

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Breach Watch Archive)

Warrington and Halton Hospitals NHS Trust

Posted on by

What

Loss of sensitive data.

How much

110 records

Why

Theft of an unencrypted laptop from premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the encryption of portable media devices are checked and upheld.

Reason for action

Despite the data controller having a policy in place to ensure that all such devices were encrypted, this laptop had not been, nor had it been identified as a security risk, despite having no other form of protection.

When

01 April 2011.

Links

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Breach Watch Archive)

NHS Blood and Transplant

Posted on by

What

Loss of sensitive personal information.

How much

444,031 records

Why

Organ donation preferences were recorded incorrectly due to a software error.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data must be routinely checked for accuracy.

Reason for action

The software error had been introduced into the system early in 1999 and had not been uncovered in the years that followed due to a lack of data checks.

When

21 January 2011

Links

View PDF of the NHS Blood and Transplant Undertaking (Via ICO Website)

View PDF of the NHS Blood and Transplant Undertaking (Breach Watch Archive)

North West London Hospitals NHS Trust

Posted on by

What

Loss of sensitive personal information .

How much

56 records.

Why

A computer printout containing patient information was left in a general folder used for auditing that was accidently left on a tube train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that psuedonymisation techniques are used where individual identification of patients is needed for audit work.

Reason for action

Although much audit work is carried out at home there was no need for this computer print out to contain the genuine identities of patients.

When

14 October 2010

Links

View PDF of the North West London Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the North West London Hospitals NHS Trust Undertaking (Breach Watch Archive)

Forth Valley NHS Board

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

An unencrypted and non-password protected memory stick containing sensitive personal data was handing in to a newspaper.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any board issued portable media devices are sufficiently encrypted and that sufficient physical security measures are taken.

Reason for action

It was unclear how the memory stick ended up in the possession of the Newspaper, but it was unencrypted and not password protected.

When

30 September 2010

Links

View PDF of the Forth Valley NHS Board Undertaking (Via ICO Website)

View PDF of the Forth Valley NHS Board Undertaking (Breach Watch Archive)

East & North Hertfordshire NHS Trust

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller’s policy for the use of portable media and storage and use of personal media is clarified and all staff are made aware of its provisions .

Reason for action

The unencrypted USB stick had not been issued by the data controller.

When

20 September 2010

Links

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Via ICO Website)

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Breach Watch Archive)

Royal Wolverhampton Hospitals NHS Trust

Posted on by

What

Loss sensitive of personal information.

How much

112 records.

Why

An unencrypted CD containing scans of patients’ records was found at a nearby bus stop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and trained in the data controller’s policies for the storage and management of data. Patient charts released to consultants are to be signed for on receipt and are to be chased for return within a week and weekly thereafter.

Reason for action

The CD was unencrypted and not password protected. The patient charts it contained were several years old. It was unclear how exactly the CD had came to be made. Any patient charts released to consultants would not be chased for return for a month.

When

19 August 2010

Links

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Breach Watch Archive)