An NHS body in London has put hundreds of patients' sensitive personal data at ‘unnecessary risk’ after the loss of unencrypted USB devices, the UK's information regulator has found.
According to the Information Commissioner's Office, there were four separate breaches of data security by the South London Healthcare NHS Trust.
On 11 April the ICO reported that: “An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.”
The seventh data protection principle states: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The two events concerning loss of data sticks between them related to data concerning 600 maternity patients and 33 children. In both cases the data was “put at unnecessary risk by it not being encrypted”.
Both devices were later found and the ICO accepted they were not readily accessible while they were missing.
The other two breaches concerned paper records that were misplaced or not securely stored.
Commenting on the continued use of unencrypted data sticks, IT security expert Graeme Stewart wrote: “Encryption isn't cutting edge anymore – it's a commodity.”
He was writing on news of the loss of data in similar situations by employees of a number of local authorities, including Croydon, Cheshire East and Norfolk. Mr Stewart was scathing of the ICO’s ability to address the problem and advocated stiffer penalties.