The University Hospital of South Manchester NHS Foundation Trust breached the Data Protection Act by losing sensitive personal information relating to the treatment of 87 patients, the Information Commissioner’s Office (ICO) said today.
The information was lost after a medical student – who had been on a placement at the hospital’s Burns and Plastics Department – copied data onto a personal, unencrypted memory stick for research purposes. The memory stick was then lost by the student during a subsequent placement in December last year.
The ICO’s investigation uncovered that the hospital had assumed that the student had received data protection training at medical school and therefore did not provide them with the induction training given to their own staff.
The hospital has now agreed to take significant steps to ensure that the personal information accessed by students working at the hospital is kept secure. This includes making sure all students are aware of data protection policies.
Sally Anne Poole, Acting Head of Enforcement said:
“This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature. Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job.
“While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education.”
A further undertaking has been signed by the London Ambulance Service who breached the Data Protection Act after a personal laptop was stolen from a contractor’s home. The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. The Trust has now taken action to ensure that contractors are made aware of its existing policy on the use of personal data, which states that staff should not store patients’ information on their personal computers.