2gether NHS Foundation Trust

What
Loss of sensitive personal data.

How much
56 records.

Why
Four desktop computers, one laptop and a memory stick  containing sensitive personal data relating to patients were stolen from a locked room in the Trust’s building.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented  All staff must receive adequate data protection training.

Reason for action
The laptop and memory stick were not encrypted, or locked away out of site, contrary to Trust policy.

When
24 March 2009

Links
View PDF of the 2gether NHS Foundation Trust Undertaking (Breach Watch Archive)

The North West London Hospitals NHS Trust

What
Loss of sensitive personal data.

How much
About 361 records.

Why
Two laptop computers were stolen and in a separate incident, a desktop computer was stolen. In both cases these devices held the personal data of patients.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. All storage devices must be sufficiently encrypted. All staff must receive adequate training in order to fulfil their obligations under such policies.

Reason for action
In both cases the machines were password protected but not encrypted. In the second incident a swipe card security system that controlled entry to the building has been disabled for maintenance.

When
19 March 2009

Links
View PDF of the North West London Hospitals NHS Trust Undertaking (Breach Watch Archive)

Hastings and Rother Primary Care Trust

What
Loss of sensitive personal data.

How much
70 records.

Why
A desktop computer containing health data relating to a number of patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data, whether on the data controller’s premises or those of another organisation. All staff must receive adequate data protection training.

Reason for action
It is believed that the computer was stolen by an opportunistic thief who entered the building via scaffolding that was not normally in place. The data controller did not own this building, but had not taken measures to safeguard the personal data held on the premises.

When
23 January 2009

Links
View PDF of the Hastings and Rother Primary Care Trust Undertaking (Breach Watch Archive)

Brent Teaching Primary Care Trust

What
Loss of sensitive personal data.

How much
70 records.

Why
Two unencrypted laptops containing sensitive personal data relating to 389 patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data. All such mobile devices must be encrypted, Staff must be adequately trained on the data controller’s information security policies.

Reason for action
The laptops were unencrypted and although the office was locked they were left out on a desk with no further physical security measures taken, contrary to the Trust’s own security policy.

When
19 January 2009

Links
View PDF of the Brent Teaching Primary Care Trust Undertaking (Breach Watch Archive)

Abertawe Bro Morgannwg University NHS Trust

What
Loss of personal data.

How much
5,000 records.

Why
An unencrypted laptop containing sensitive personal data relating to approximately 5,000 patients was stolen from an unlocked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the portable and mobile devices are encrypted to a suitable standard.

Reason for action
The Laptop was unencrypted and the office was not locked as it usually would have been.

When
14 January 2009

Links
View PDF of the Abertawe Bro Morgannwg University NHS Trust Undertaking (Breach Watch Archive)