ICO Censures Manchester Hospital For Data Breach

The NHS continues to live up to its reputation for being the worst institution for protecting confidential data, following a fresh reprimand from the Information Commissioner’s Office (ICO).

In its latest adjudication, the ICO found that the University Hospital of South Manchester NHS Foundation Trust had breached the Data Protection Act (DPA) by losing sensitive personal information relating to the treatment of 87 patients.

It seems the data loss occurred when a medical student – who had been on a placement at the hospital’s Burns and Plastics Department – copied data onto a personal, unencrypted memory stick for research purposes.

Training Assumption

The memory stick was then lost by the student during a subsequent placement in December last year.

The ICO said that its investigation had found that the hospital had automatically assumed that the student had received data protection training at medical school, and therefore did not provide medical students with the induction training given to its own regular staff.

“This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature,” said Sally Anne Poole, Acting Head of Enforcement at the ICO. “Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations.”

“NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job,” she said.

Slap On The Wrist

The ICO has again opted not to issue a fine, but said that the hospital has agreed to take significant steps to ensure that the personal information accessed by students working at the hospital is kept secure. This includes making sure all students are aware of data protection policies.

“While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education.”

Meanwhile the ICO has received a further undertaking from the London Ambulance Service, which breached the DPA after a personal laptop was stolen from a contractor’s home.

The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. The Trust has now taken action to ensure that contractors are made aware of its existing policy on the use of personal data, which states that staff should not store patients’ information on their personal computers.

Long Litany

Data breaches within the NHS are a depressingly familiar story.

Back in June last year for example, the ICO published a list of the 1,000 data breaches reported since 2007. It found that the NHS was responsible for 305 of the 1,007 reported breaches, almost a third of all recorded data breaches in the UK for the last three years.

And the cycle shows no sign of stopping.

In July researchers for London Health Programmes revealed that they had lost unencrypted records of 8.63 million NHS patients.

Last October Healthcare Locums Plc breached the Data Protection Act when it lost a hard disc drive (HDD) that contained personal data of the doctors it employed, such as their security clearances and visa information.

In May 2010 a NHS worker in the secure mental health unit of a Scottish hospital was suspended, after losing a USB stick containing patients’ medical records.

In an effort to help the NHS deal with data loss, the ICO produced guidance for health organisations explaining their obligations to keep the personal information they handle secure, as well as giving advice on the security measures that must be in place.

It also carried out a number of audits with health organisations to help them identify ways in which they can improve their handling of personal information.