UK: Two organizations sign undertakings after privacy breaches
Two NHS trusts have signed undertakings to improve data protection following breaches.
Hertfordshire County Council signed an undertaking following the loss of an Attendance and Pupil Support consultation folder in January 2011. The lost bag contained hard copy records of primary school consultation visits and the documents in the folder included pupil name and information relating to attendance issues. That information also included some information on physical and mental health issues.
South London Healthcare NHS Trust also signed an undertaking, following four data protection incidents:
- In the first incident, data relating to approximately 600 maternity patients had been downloaded on to an employee’s personal memory stick in order to do some work at home. The data were not encrypted at the time the stick was lost. The stick was subsequently recovered.
- In the second incident, the unencrypted names and dates of birth of 30 children and full audiology reports for 3 other children children were on a memory stick that was lost. That stick was also subsequently recovered.
- In the third incident, a junior doctor took ward lists out of a hospital in breach of data controller policy. These lists contained the name, date of birth, diagnosis, treatment plan and test results for 122 patients.
- In the fourth incident, the data controller reported that some Genito-Urinary Clinic outpatient files were not being locked away when not in use although they were being stored in areas with secure access controls.
(Headline corrected post-publication)