A medical student lost sensitive personal information relating to 87 patients after storing them on a unprotected memory stick.
The student – who had been on placement at Wythenshawe hospital's burns and plastics unit – copied the data from a computer for 'research purposes'. But the stick was lost in December last year.
An official watchdog has now ruled that the hospital breached the Data Protection Act as a result of the incident.
Investigators from the Information Commissioner's Office (ICO) slammed the University Hospital of South Manchester NHS Foundation Trust, which runs Wythenshawe hospital, for wrongly assuming that the student had received data protection training at medical school.
The trust should have given the student the usual induction training it gave its own staff, the ICO said.
The trust has now agreed to take 'significant' steps to ensure that the personal information accessed by students working at the hospital is kept secure.
It will also ensure all students are aware of data-protection policies.
Sally Anne Poole, acting head of enforcement at the ICO, said: “This case highlights the need to ensure data protection training for healthcare providers is built in early on, so that it becomes second nature.
“Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations.
“NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job.
“While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education.”
Tweet
Comments
Login or Register to comment
It really is time the public sector caught up with the private sector on data protection issues. My company disabled the ability to extract data on to pen drives years ago!
ok think back, where did you last have it ???
'Research purposes?'
Pretty sure i got a lead on where the 'student' had it last.......obviously in the middle of a booze-up in the pub lol
lessons will be learnt. sure they will.. when as an outpatient they constantly used my personal data in their clinic letters. AND II believe one other.. If there's 2 of us there's more?/
No Excuse, also it is so easy to protect data and also make back up copies
Products that encrypt data on storage devices, such as USB sticks have been available for quite a while now.
This is the classic Burglar alarm syndrome - just ask any alarm salesperson when the best time to sell a Burglar alarm is. The answer is the day after a house has been robbed.
Many organisations pay lip service to data security issues, yet many of the same organisations look to hide behind the cloak of the Data Security Act at the earliest opportunity.
"Have you tried looking under the bed?"
But which bed, and in which ward?
This kind of thing will continue until people are sacked for incomptence.
But in the public sector incomptenece is not a a sackable offence.
The data should have been anonoymised especially if its for research purposes in any research degree this would be a failed assignment!
What happened to ethics and the medical profession?
The NHS, make no mistake about it communicate about patients day out without even the patients knowledge often malicously and patronisingly not suprising mistake like this happens when the NHS has such 'hidden' standards.
This case has hit the headlines at Whythemshaw due to high numbers on the data drive however the hospitals whole policy on communicating honestly and transparently with patients is a cause for serious concern. Interestingly the same trust was recently in the spotlight for sweeping 540 complaints from NHS patients under the carpet trying to pretend they had nil complaints I wonder why ? Perhaps they could do with a cache booster!