A junior doctor had recorded patient medical details on a USB stick which he had intended to give to the next doctor on shift. However he forgot to do so and took the unprotected device with him at the end of the shift and it was subsequently lost.
The Information Commissioner’s Office (ICO) found that the trust had contravened the Data Protection Act.
Subsequent investigation showed that the doctor was unaware of the trust’s data protection policies and claimed not to have access to receive policy reminders and updates. The ICO also found that the trust’s policy on the use of personal USB sticks was not clear and that no technical measures were in place at the time to prevent misuse of portable devices.
The case serves as a reminder to all our NHS clients to ensure not only that they have clear policies in place with regard to the use of sensitive personal data, but that their IT systems should only be able to support encrypted devices and not support the use of non-trust equipment.
Of wider importance, this case illustrates the need to ensure not only that policies are in place but that their contents are adequately communicated to those staff that need to know about them!