The Information Commissioner’s Office (ICO) has found Grampian NHS in breach of the Data Protection Act after receiving reports of three separate incidents involving data security at Aberdeen’s Royal Infirmary from the Trust itself.
A senior nursing manager “inappropriately” emailed 50 staff with sensitive personal details relating to a patient; lack of secure storage on a labour ward enabled an individual to remove 200 patients’ personal details from a confidential waste sack, and an unencrypted laptop containing details of 1,500 patients in a gastroenterology clinic was stolen from a locked office. The ICO discovered staff, patients and visitors could have had access to confidential waste, and that many were not aware of the correct procedures for disposing of such material. Some had also been using home computers for work-related tasks involving personal information and using USB sticks to transfer the work, contravening the organisation’s own policies and procedures. The ICO says NHS Grampian “will be taking a number of steps to improve data security to ensure that it complies with the Data Protection Act”.
