Out-Law News 1 min. read

Hospital promises more data protection training after medical student loses sensitive data


A hospital has promised to keep information more secure after a medical student lost a memory stick containing sensitive personal information on 87 patients.

The University Hospital of South Manchester NHS Foundation Trust has promised privacy watchdog the Information Commissioner's Office (ICO) that it will make sure all students have data security training, the ICO said.

Organisations responsible for holding personal data must secure it from "unauthorised or unlawful processing ... and against accidental loss or destruction of, or damage to, personal data," a principle of the Data Protection Act (DPA) provides.

Under the DPA "sensitive personal data" includes personal data relating to an individual's "physical or mental health or condition". Because information about such matters could be used in a discriminatory way, and is likely to be of a private nature, it must be treated with greater care than other personal data.

The information was lost in December 2010 by a medical student who had been on a placement at the hospital's burns and plastics unit. The student had copied the data onto an unencrypted memory stick for research purposes, the ICO said.

The NHS Trust had assumed that the student had received data protection training as part of his medical studies, but this was not the case, according to the undertaking (3-page / 144KB PDF) signed by the NHS Trust.

"This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature," said Sally Anne Poole, acting head of enforcement at the ICO. "Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job.".

In the undertaking the Trust promised to ensure that all students are told of its data security policies and procedures. Regular monitoring will also take place to ensure access to personal data for research and education purposes complies with the Trust's data protection and IT security policies, the undertaking said.

"While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education", Poole said in the ICO statement.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.