ICO raps five NHS trusts over data losses

ICO logo

The Information Commissioner's Office (ICO) has repeated its calls for the NHS to sort out its data handling, issuing warnings to five trusts after breaches.

The warnings come after a pair of NHS data breaches earlier this year, and a letter from the information commissioner to the Department of Health citing his concerns with the health service's data control.

The five new incidents are classic data breaches - lost USB sticks, stolen laptops, documents left on public transport.

Surrey and Sussex NHS trust not only had two unencrypted laptops stolen, but an employee also left a sheet containing data on 23 patients on a bus.

The Royal Free Hampstead NHS Trust lost an unencrypted disk that it thinks had medical details on 20,000 patients - but it's not entirely sure what was on the disk.

An unencrypted USB stick with data on 143 patients was stolen from an office of the Chelsea and Westminster Hospital Foundation Trust, while a laptop stolen from the Hampshire Partnership Trust held unencrypted data on 349 patients and 258 staff.

Last, Epsom and St Helier University Hospital NHS Foundation Trust was told off for insecurely storing records.

All of the trusts have promised the ICO they will shape up their data protection by locking offices, encrypting devices and training staff.

Sally-Anne Poole, head of enforcement and investigations at the ICO, said in a statement that the five cases should serve as a reminder to NHS bodies to keep patient data safe.

"Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them," she said in a statement.

"Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands."

The ICO has called on hospitals to encrypt their data - read here to find out how one NHS body managed to do it.