ICO Censures Manchester Hospital For Data Breach

The NHS continues to live up to its reputation for being the worst institution for protecting confidential data, following a fresh reprimand from the Information Commissioner’s Office (ICO).

In its latest adjudication, the ICO found that the University Hospital of South Manchester NHS Foundation Trust had breached the Data Protection Act (DPA) by losing sensitive personal information relating to the treatment of 87 patients.

It seems the data loss occurred when a medical student – who had been on a placement at the hospital’s Burns and Plastics Department – copied data onto a personal, unencrypted memory stick for research purposes.

Training Assumption

The memory stick was then lost by the student during a subsequent placement in December last year.

The ICO said that its investigation had found that the hospital had automatically assumed that the student had received data protection training at medical school, and therefore did not provide medical students with the induction training given to its own regular staff.

“This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature,” said Sally Anne Poole, Acting Head of Enforcement at the ICO. “Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations.”

“NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job,” she said.

Slap On The Wrist

The ICO has again opted not to issue a fine, but said that the hospital has agreed to take significant steps to ensure that the personal information accessed by students working at the hospital is kept secure. This includes making sure all students are aware of data protection policies.

“While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education.”

Meanwhile the ICO has received a further undertaking from the London Ambulance Service, which breached the DPA after a personal laptop was stolen from a contractor’s home.

The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. The Trust has now taken action to ensure that contractors are made aware of its existing policy on the use of personal data, which states that staff should not store patients’ information on their personal computers.

Long Litany

Data breaches within the NHS are a depressingly familiar story.

Back in June last year for example, the ICO published a list of the 1,000 data breaches reported since 2007. It found that the NHS was responsible for 305 of the 1,007 reported breaches, almost a third of all recorded data breaches in the UK for the last three years.

And the cycle shows no sign of stopping.

In July researchers for London Health Programmes revealed that they had lost unencrypted records of 8.63 million NHS patients.

Last October Healthcare Locums Plc breached the Data Protection Act when it lost a hard disc drive (HDD) that contained personal data of the doctors it employed, such as their security clearances and visa information.

In May 2010 a NHS worker in the secure mental health unit of a Scottish hospital was suspended, after losing a USB stick containing patients’ medical records.

In an effort to help the NHS deal with data loss, the ICO produced guidance for health organisations explaining their obligations to keep the personal information they handle secure, as well as giving advice on the security measures that must be in place.

It also carried out a number of audits with health organisations to help them identify ways in which they can improve their handling of personal information.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

View Comments

  • http://bit.ly/nR7qBj This link here is a free guide to managing mobile device risk, specifically for the healthcare industry. I think with the paranoia of hackers, IT managers in hospitals tends to focus solely on firewalls and encryption. Where they should really not forget physical security of their laptops, which hundreds of employees use. Something as simple as using a laptop lock could prevent up to 40% of thefts. And another study by Data Loss DB found that device theft was the leading cause of data breaches.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago