Category Archives: NHS

Ipswitch Hospital NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
30 records.

Why
A ward handover sheet was found outside the data controller’s premises. This was the second time inside a year that such an incident had been reported to the Commissioner.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all staff are made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it.

Reason for action
Following the incident in 2008 recommendations had been made to minimise the risk of such documents going astray, including instructions to dispose of these in confidential waste and never to remove them from Trust premises, but it was clear that these had not been adhered to by staff.

When
25 August 2009

Links
View PDF of the Ipswich Hospital NHS Trust Undertaking (Breach Watch Archive)

NHS Education for Scotland

Posted on by

What
Loss of sensitive personal data.

How much
6,377 records.

Why
An unencrypted laptop containing the personal data of 6,377 individuals was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The laptop was not encrypted as it not intended to taken off NES premises and was therefore not considered a “mobile device” under NES internal policy at the time.

When
14 August 2009

Links
View PDF of the NHS Education for Scotland Undertaking (Breach Watch Archive)

Imperial College Healthcare NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
6,000 records.

Why
Six laptops were stolen from a secure area within the hospital on two separate occasions. In a separate incident a small number of paper records were lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Measures must be taken to ensure the physical security of all such devices containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
One of laptops was unencrypted despite containing sensitive personal data.

When
29 July 2009

Links
View PDF of the Imperial College Healthcare NHS Trust Undertaking (Breach Watch Archive)

East Cheshire NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 60 records.

Why
Personal data relating to over 60 patients were found in a garden in Newcastle-under-Lyme. This followed an office move during which an external company was retained to clear out scrap and rubbish from vacated premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that in all cases where third party supplies of goods or services will have access to personal data, a written contract must be entered into prior to work beginning which covers data security requirements. Staff must be made aware of the data controller’s policy for the storage and use of personal data and be appropriately trained to follow that policy.

Reason for action
The data controller did not enter into any written contract with the external company, nor where its actions appropriately supervised. It was noted during the clearance operations that boxes of data were being disposed of in open skips, but the data controller failed to react to this in time to prevent loss of some records.

When
27 July 2009

Links
View PDF of the East Cheshire NHS Trust Undertaking (Breach Watch Archive)

NHS Lothian

Posted on by

What
Loss of personal data.

How much
162 records.

Why
A document wallet containing 25 paper files was temporarily left in a shop. In a second incident an unencrypted USB memory stick was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Network systems are to be introduced to prevent the use of unauthorised personal memory devices to download personal data being processed by NHS Lothian. Measures must be taken to ensure the physical security of all paper files containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it. Compliance with these policies must be monitored.

Reason for action
The USB memory stick was unencrypted and was the personal property of an employee. In both cases the employees failed to comply with NHS Lothian security requirements.

When
21 July 2009

Links
View PDF of the NHS Lothian Undertaking (Breach Watch Archive)

Dr Paul Thomas

Posted on by

What
Loss sensitive of personal data.

How much
“A large number” of records.

Why
The Suffolk Primary Care Trust’s Practice server was found in the Gipping Valley Practice car park by one of the data controller’s employees. The Server held data relating to a large number of patients and staff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the decommissioning process regarding Practice servers and other such devices has been completed successfully in order to ensure the safety of any personal data.

Reason for action
The decommissioning process did not ensure the security of personal data.

When
10 July 2009

Links
View PDF of the Dr Paul Thomas Undertaking (Breach Watch Archive)

Nightingale Practice

Posted on by

What
Loss sensitive of personal data.

How much
7,700 records.

Why
10 back up tapes and a USB portable hard drive were stolen. The USB hard drive and five of the back up tapes were not encrypted.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the physical security of personal data be ensured. All portable media devices containing personal data must be encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
Physical security was adequate, as the devices were kept in a locked firesafe in a locked and alarmed environment, but the lack of encryption was unacceptable.

When
10 July 2009

Links
View PDF of the Nightingale Practice Undertaking (Breach Watch Archive)

Hampshire Partnership NHS Trust

Posted on by

What
Loss of personal data.

How much
607 records.

Why
An unencrypted laptop containing personal data relating to staff and patients was stolen from an employee’s hotel room.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it. Compliance with these policies must be monitored.

Reason for action
The laptop was unencrypted and stolen from the employee while he was attending a conference.

When
26 June 2009

Links
View PDF of the Hampshire Partnership NHS Trust Undertaking (Breach Watch Archive)

Epsom & St Helier University Hospitals NHS Trust

Posted on by

What
Insecure storage of sensitive personal data.

How much
“A large number”

Why
A reporter discovered the insecure storage of hospitals records relating to medical tests and treatment.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the possibility of unauthorised access to the data over the course of two years.

When
11 June 2009

Links
View PDF of the Epsom & St Helier University Hospitals NHS Trust Undertaking (Breach Watch Archive)

The Royal Hampstead NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
20,000 records.

Why
An unencrypted disc containing patient information was discovered to be missing.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The disc was not encrypted and the member of staff responsible for downloaded the data was believed to have known of its loss for five months before reporting it. It’s whereabouts and the precise circumstances regarding its loss are unknown.

When
8 June 2009

Links
View PDF of the Royal Hampstead NHS Trust Undertaking (Breach Watch Archive)