Southampton rapped by ICO
- 25 January 2010
Southampton University Hospitals NHS Foundation Trust has become the latest NHS organisation to be rapped for breaching the Data Protection Act.
Chief executive Mark Hackett was required to sign an undertaking to improve data security by the Information Commissioner’s Office, after an incident in which 33,000 patient records were stolen.
The records had been downloaded onto a password protected but unencrypted laptop that was stolen from an "unlocked and unattended" retinal screening vehicle in October last year.
The laptop was attached to the van by a security cable, but this was cut during the theft. Sally-anne Poole, head of investigations at the ICO, said: "Storing large volumes of personal information on portable devices is unncessarily risky.
"Why were so many records downloaded onto an unencrypted laptop in the first place? It is vital that NHS organisations ensure their staff handle personal information securely."
Southampton’s undertaking says it will now ensure that portable devices, including laptops, are encrypted and that better physical security measures are taken. It also says it will make sure that staff are aware of its policies for storing and using personal data and trained in how to follow them.
The NHS was told to encrypt all removable devices following HM Revenue and Customs’ loss of 25m child benefit details on unencrypted CDs in November 2007.
The message was reinforced by the Department of Health in September 2008, when NHS chief executive Sir David Nicholson wrote to all chief executives asking them to make sure this had happened.
NHS Connecting for Health has made encryption software available for trusts. In a statement issued to its local paper, Southampton University Hospitals NHS Trust said it had taken action.
“The trust has recently completed a programme to encrypt its portable computers, but at the time of the incident, due to some special circumstances related to the way this laptop is used, it was one of a small number not yet fully protected,” it said.
“We have introduced a number of measures to improve security and encryption and want to reassure our patients that we are doing everything in our power to minimise the risk of an incident of this type occurring in the future."
Earlier this month, the ICO issued guidance on how it will use the powers it was given to impose monetary policies of up to £500,000 for "serious" breaches of the DPA after the HMRC scandal.
The guidance illustrates how the powers could be used with a number of NHS examples.