Councils on the ‘naughty step’

Two councils have got into trouble with the Information Commissioner after losing data on children.

Sandwell Council has signed an undertaking [link] after one of its employees lost an unencrypted memory stick that held details relating to four families where vulnerable children, who had either been taken into care or were the subject of child protection plans.

The staff member had downloaded the details on to the stick so that they could do work from home but the device was lost on the journey.

It contained information relating to four families and was not password protected. The stick included details of why the reasons the children were under the care of the council’s children protection team.

 At Wigan Council the Chief Executive Joyce Redfearn has also had to sign an undertaking [link] after a laptop computer containing details on nearly all the children in the authority was stolen.

The laptop, which was password protected, was stolen from a locked office. But the details of 43,000 children had been downloaded on to the machine in breach of the Council’s policy.

Casino loses gamblers’ data

Losing the personal data of 26,000 gambling club members - not a good day at the office.

When the Information Commissioner reports on those organisations that have lost personal data it has predominantly been limited to the NHS.

Hospitals records, laptops and memory sticks have all managed to go AWOL and the relevant NHS body has had its knuckles rapped.

But this week the Commissioner has ventured into the exotic world of casinos because one of the country’s biggest gaming companies has put its hands up to losing customer data.

Now it’s one thing losing patients’ blood pressure readings but what sort of data would have been held on the laptop belonging to London Clubs International?

The company [website] owns and operates a string of casinos – five in London, and others in Southend, Brighton, Manchester, Nottingham, Glasgow and Leeds – and is well known for pulling in poker players.

It has now confessed to having had a laptop stolen from the data controller’s premises. The laptop contained personal details relating to around 26,000 people. Although the computer was password protected it was not encrypted.

The Information Commissioner did not serve an Enforcement Notice on the casino chain but the company has signed an undertaking to make sure everything is now encrypted and to bring in other security measures to ensure personal data is protected.

According to the company website the casinos have to comply with EU money laundering rules and so require ID from punters before they are allowed in to gamble.

Here is a copy of the undertaking. [link]

NHS losing yet more patient data

Carry on Data Loss?

Yet more NHS Trusts have been sent to the headmaster’s office for the slipshod way they deal with sensitive personal data.

This has been a recurrent theme this year and it would appear that the Information Commissioner is having a concerted push at NHS data security. Some might say it is like shooting fish in a barrel.

So far this year a total of 21 NHS executives in England have had to sign formal undertakings to promise to stick the letter of the Data Protection law.

The latest culprits are:

Surrey and Sussex Healthcare NHS Trust: A ward handover sheet containing the details of 23 patients was found discarded on a bus. Two computers, that were password protected, but contained the details of 80 patients were stolen from an area that was protected by three locked doors. Staff were said to have poor knowledge of the need to store data on network drives.

Royal Free Hampstead NHS Trust: A disc containing the details of 20,000 patients from the Cardiology department disappeared. The staff member responsible is said to have downloaded the data, of patients treated between 2000 and 2006 - but took five months to inform the hospital after the unencrypted disc disappeared. Where the disc is, how it was lost and exactly what it contains is unknown.

Hampshire Partnership NHS Trust: An employee attending a conference in London had their laptop stolen from the hotel. It contained the details of 349 patients and 258 staff. The laptop was not encrypted.

Epsom & St Helier University Hospitals NHS Trust: The Information Commissioner was brought in after a press report relating to the insecure handling of a  large quantity of patient records. An investigation found the records had been left in an room that was often unlocked after being moved from one site to another. Following a root cause analysis report by the Trust the Commissioner was still concerned the Trust appeared to have failed to recognise the staff training issues, equipment and resources factors, individual knowledge and skills areas, organisation and strategic issues and the question of culpability in respect of this breach.

Chelsea & Westminster Hospital NHS Foundation Trust: An unencrypted USB memory stick that held the personal data of 143 patients who attended a walk-in clinic at the hospital was stolen from an unattended and unlocked office. The memory stick belonged to the employee holding the clinic and was not password protected. The Trust employee was not aware that secure network drive and encryption facilities were available and used their own memory stick because Trust equipment was not available. It was also discovered that the Trust employee had used the memory stick and their own computer for home working.

More patient data going AWOL

Is that our missing memory stick?

The Information Commissioner’s Office (ICO) has warned another four NHS authorities about the way slipshod way they are handling patient data. All four organisations have signed undertakings to improve.

The public rebuke to the authorities comes hard on the heels of similar warnings to other health organisations reported here at ‘Password Blunder Blamed for Prison Breach’ and ‘Carers warned……

Mick Gorrill, Assistant Information Commissioner at the ICO, said: “These four cases serve as a stark reminder to all NHS organisations that sensitive patient information is not always being handled with adequate security.

“It is a matter of significant concern to us that in the last six months it has been necessary to take regulatory action against 14 NHS organisations for data breaches. In these latest cases staff members have accessed patient records without authorisation and on occasions, have failed to adhere to policies to protect such information in transit. There is little point in encrypting a portable media device and then attaching the password to it.

“Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them. Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands. Ultimately, the organisations risk losing the confidence of patients and their families.

“The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. These four organisations recognise the seriousness of these data losses and have agreed to take immediate remedial action.”

St Georges Healthcare, London. Six laptop computers were stolen from the hospital’s Cardiac Management Offices. The laptops held information relating to almost 22,000 patients including their name, date of birth, contact details, hospital number and brief details of the patient’s planned treatment. Due to network connection problems the patient data had been stored on laptops against the Trust’s policy and the data was not encrypted.

Cambridge University Hospital Trust. A car wash attendant found a memory stick which when plugged into a computer revealed it held data belonging to the Trust and contained personal data of 741 patients. The memory stick, which was privately owned and unencrypted, contained data relating to medical treatment and had been left in an unattended car by a staff member from the hospital. The data had been downloaded on to the memory stick without the knowledge of the Trust.

The North West Hospitals NHS Trust. Two laptop computers stolen from the Audiology department of Central Middlesex Hospital held information on 181 patients including their name, date of birth, NHS or hospital number and hearing test results. The data was not encrypted. In a separate incident a desktop computer was stolen from the Clinical Haematology offices at Northwick Park Hospital. That computer held information on 180 patients including their name, hospital number, date of birth and some clinical follow up information. At the time of the theft, the swipe card security system that controlled entry to the building had been disabled for maintenance. The database containing the personal data in question was password protected, but was not encrypted.

Hull & East Yorkshire Hospitals Trust. A desktop PC, containing details of 300 patients, was lost during refurbishment of the renal dialysis office and a disused laptop, which held the data on around 2000 cancer patients was stolen from a locked office. Both devices were unencrypted.

The individual undertakings issued by the ICO can be seen here.

Uni rapped for Data Protection breach

Prof Alan Gilbert

The University of Manchester has landed itself in trouble with the Information Commissioner’s Office (ICO) after a staff member’s blunder resulted in the personal deatils of more than 1,700 students being e-mailed to 469 other students.

The university’s vice-chancellor Prof Alan Gilbert has now had to sign a formal undertaking to improve data security to ensure that a similar incident does not occur in the future.

The formal undertaking (link) reveals that a chain of mistakes within the University led to the e-mail being sent out to students.

It says: “The Information Commissioner was provided with a report from the data controller, regarding the accidental publication of a computerised spreadsheet which contained the personal data of some 1,755 students.

This data included information relating to certain students ‘disabilities’ (“sensitive personal data” as defined by the Act). The information was published when a member of the University staff accidentally sent it as an attachment to an email, forwarded to some 469 students.

The information accidentally published was forwarded to the staff member by a colleague, when they had requested a list of the email addresses of certain students.

An extract of the full student record was provided, despite the fact that the staff member had no business need to acquire the full information, which included “sensitive personal information”. This was due to a fault in the relevant procedure, which has since been addressed.

The data controller did not on this occasion ensure adequate measures were taken, including ensuring compliance with training and procedures, to prevent the inappropriate internal transfer of the information, and its subsequent publication via the email attachment.

The Commissioner has taken into account the fact that the personal data in question related to details of disability, and could therefore potentially result in significant distress being caused to the individuals concerned.”

Mick Gorrill, Assistant Information Commissioner at the ICO, said: “The Data Protection Act clearly states that organisations, including universities, must take appropriate measures to ensure that personal information is kept secure. This case reinforces the importance that only those authorised should have access to sensitive personal information such as a student’s disabilities and other health details. Despite the absence of a justifiable reason, the staff member was able to access the information and send it to students and peers which could cause significant distress to individuals concerned.

“Under the Data Protection Act, organisations must ensure that their policies on the transfer, sharing and publication of personal information are adequate and that staff members are aware and understand those policies. Manchester University recognises the seriousness of this case and has agreed to take immediate remedial action.”

Password blunder blamed for prison data breach

The missing memory card mysteriously vanished in the prison

Another health trust has been blamed for losing the sensitive medical details of its patients - this time the records of 6,360 prisoners and ex-prisoners which were put on to a memory stick.

The health trust in question - NHS Central Lancashire - has blamed the mistake on “human error”. Its report into the matter found that the memory stick was encrypted but the password was written on a note attached to the card.

The USB stick was being used to back up clinical databases at HMP Preston when it was lost on 30 December. Despite a search the stick has not been found.

NHS Central Lancashire said procedures on data security had not been adhered to but that it had now taken action to remind staff of their responsibilities.

Prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times and review dates were all included in the information.

An “immediate and urgent” review of data policies was undertaken to ensure consistency regarding the use of USBs after the incident, the trust said.

All data sticks across the PCT were recalled and staff were reminded how to handle personal and sensitive information of patients and employees.

The Trust’s chief executive Joe Rafferty said: “There was a failure in the system which led to this incident happening and we have taken steps to make sure this doesn’t happen again.

“We are pleased that the Information Commissioner’s Office has recognised the swift action taken by NHS Central Lancashire following the information security breach and that, as a result, at present no formal action will be taken.”

Editor’s note: Yet another example of a health trust managing to lose its patients’ data (see previous post ‘Carers careless…..). I suspect they will not learn until somebody sues them for it, and then they will realise there are financial implications to their incompetence. For an example of how even a relatively small health trust will try to spin the facts have a look at its press release (link). Please post any suggestions that the password might have been. Fletch? Porridge? Doh?

‘Carers’ warned over careless data losses