Manchester hospital loses patients’ personal data

While London Ambulance Services breaches Data Protection Act after laptop theft

The Information Commissioner's Office (ICO) has found the University Hospital of South Manchester NHS Foundation Trust in breach of the Data Protection Act (DPA) after losing an unencrypted USB key containing patients' personal data.

Sensitive personal information relating to the treatment of 87 patients at the hospital was lost after a medical student copied data onto a personal, unencrypted memory stick - provided by the Trust - for research purposes.

The student was on a placement at the hospital's burns and plastics department at the time, and lost the stick during another placement in December 2010.

Following an investigation, the ICO found that the hospital did not provide students with induction training, including DPA-related training, which it gave to its own staff. The hospital assumed that the student had received data protection training at medical school.

The University Hospital of South Manchester has now signed an undertaking to ensure that all students are aware of data protection policies, to keep personal information accessed by students secure.

Sally Anne Poole, acting head of enforcement at the ICO, said: "This case highlights the need to ensure data protection training for healthcare providers is built in early on, so that it becomes second nature.

"NHS bodies have a duty to make sure their staff - both permanent and temporary - understand their responsibilities on day one in the job."

Separately, the London Ambulance Service NHS Trust has also today signed an undertaking after it was found to have breached the DPA when a personal, unencrypted laptop was stolen from a contractor's home.

The laptop contained personal data and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. However, it did not contain medical records.

Although the contractor had legitimate access to the records, the member of staff had emailed them to a personal account for working from home, which led to the breach of the Trust's policy, and then downloaded the information onto a personal, unencrypted laptop.

The London Ambulance Service has now agreed to ensure that all staff are made aware of the Trust's data protection policies.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags public sectorInformation Commissioner's Office

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anh Nguyen

Latest Videos

More videos

Blog Posts