We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Manchester hospital loses patients’ personal data

While London Ambulance Services breaches Data Protection Act after laptop theft

The Information Commissioner's Office (ICO) has found the University Hospital of South Manchester NHS Foundation Trust in breach of the Data Protection Act (DPA) after losing an unencrypted USB key containing patients' personal data.

Sensitive personal information relating to the treatment of 87 patients at the hospital was lost after a medical student copied data onto a personal, unencrypted memory stick - provided by the Trust - for research purposes.

The student was on a placement at the hospital's burns and plastics department at the time, and lost the stick during another placement in December 2010.

Following an investigation, the ICO found that the hospital did not provide students with induction training, including DPA-related training, which it gave to its own staff. The hospital assumed that the student had received data protection training at medical school.

The University Hospital of South Manchester has now signed an undertaking to ensure that all students are aware of data protection policies, to keep personal information accessed by students secure.

Sally Anne Poole, acting head of enforcement at the ICO, said: "This case highlights the need to ensure data protection training for healthcare providers is built in early on, so that it becomes second nature.

"NHS bodies have a duty to make sure their staff - both permanent and temporary - understand their responsibilities on day one in the job."

Separately, the London Ambulance Service NHS Trust has also today signed an undertaking after it was found to have breached the DPA when a personal, unencrypted laptop was stolen from a contractor's home.

The laptop contained personal data and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. However, it did not contain medical records.

Although the contractor had legitimate access to the records, the member of staff had emailed them to a personal account for working from home, which led to the breach of the Trust's policy, and then downloaded the information onto a personal, unencrypted laptop.

The London Ambulance Service has now agreed to ensure that all staff are made aware of the Trust's data protection policies.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model