Winchester Vacancies

ICO raps Manchester hospital over DPA training after student loses memory stick

A medical student on a placement at a hospital in Manchester lost an unencrypted memory stick containing details of the treatment of 87 patients, the Information Commissioner’s Office has revealed.

An investigation by the watchdog concluded that the University Hospital of South Manchester NHS Foundation Trust had breached the Data Protection Act.

The hospital had assumed that the student had received training in data protection whilst at medical school. It therefore did not require them to undergo the induction training that it gives to its own staff.

The medical student had been working at the hospital’s Burns and Plastics Department and copied data onto the memory stick for research purposes. The stick was then lost by the student during a subsequent placement in December 2010.

The Trust has now given an undertaking to the ICO to take steps to ensure that personal information accessed by students is kept secure. All students will be made aware of the hospital’s data protection policies.

The ICO’s Acting Head of Enforcement, Sally Anne Poole, said: “This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature.

“Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job.”

In a separate case, the London Ambulance Service has also signed an undertaking after a personal laptop was stolen from a contractor’s home.

The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service, the ICO said.

The watchdog said the London Ambulance Service had now taken action to ensure that contractors were made aware of its existing policy on the use of personal data. This states that staff should not store patients’ information on their personal computers.