The Forth Valley NHS board has been found in breach of the Data Protection Act after an unencrypted memory stick with no password protection was discovered.
The Information Commissioner's Office (ICO) said that the stick was handed in to a member of the press and enquiries found that the information had been uploaded by a member of staff onto a personally owned memory stick that was then lost or stolen.
Fiona Mackenzie, CEO of the Forth Valley NHS board, has signed a formal undertaking outlining that the organisation will only use portable and mobile devices issued by the NHS board to process personal data. All members of staff will be fully aware of the policies and procedures in place to safeguard personal information and will be appropriately trained to follow those policies.
The board will also implement a number of security measures to protect personal information more effectively, including physical security measures to prevent the upload of board data onto any unauthorised mobile device.
Ken Macdonald, assistant commissioner for Scotland at the ICO, said: “This case highlights the importance of health bodies complying with the Data Protection Act when storing and transferring patients' sensitive personal information.
“All staff members should be fully aware of the policies and procedures in place to safeguard personal information to stop it falling into the wrong hands. I am pleased the organisation is taking remedial steps to ensure such an incident does not happen again.”
Chris McIntosh, CEO of Stonewood, said: “We have been assured that measures are being taken to prevent a repeat of this; but remember that the NHS was recently singled out as the single greatest culprit in losing sensitive information, whether on patients or staff.
“As this case shows, organisations can say that they are putting into effect firm protocols to protect data. However, unless they actually match this with positive action they will be doing nothing more than shifting the burden of responsibility onto employees, rather than providing any actual progress.
“Controls must be put in place to ensure that there is no way for information to be saved on unencrypted storage at any point in the first place. Encrypting personal data needs to be routine: otherwise, health services and other organisations will have to resign themselves to the consequences of the next, inevitable data loss.”
Anders Pettersson, CSO of BlockMaster, said: “IT users today are more mobile than ever, with the use of USB sticks driving efficient working practices. This however is exposing businesses to unprecedented security risks from lost or stolen sticks, containing valuable company data. A secure USB solution would have provided the NHS trust with full confidence that data is secure at all times and that it has not been tampered with, providing full accountability on all user actions.
“It is simply unworkable to try and prevent staff from downloading information on portable devices like USB memory sticks. Companies must provide their employees with the right training and equipment to ensure security best practice. Although blame inevitably falls at the door of the person who loses data, it is still the responsibility of the ICO to take a stand and enforce policies, best practice – and if necessary - fines in order to lead by example in the constant battle to eliminate data loss.”