ICO raps health trust over stolen laptops

Recent thefts have once again highlighted the importance of encryption

The Information Commissioner's Office (ICO) has taken out an enforcement action against an NHS health trust after it breached its own security procedures.

The ICO said that it had taken action against Brent Teaching Primary Care Trust for a breach of the Data Protection Act. According to the privacy watchdog, the theft of two laptops from the organisation had exposed weaknesses in security procedures.

The ICO has requested that from now on the health trust conforms to more rigorous data protection controls.

Although the laptops, which contained personal information relating to almost 400 patients, were in a locked room, they were left on clear view on a desk and were taken during a burglary. The data held on the devices was not encrypted.

"Whilst the number of people affected was relatively small, some people's sensitive health information was contained on the stolen laptops," said assistant information commissioner Mick Gorrill.

"I am increasingly concerned about the way some NHS organisations are transferring sensitive records onto laptops and other mobile devices that are not encrypted. Organisations need to implement appropriate safeguards to ensure that personal details about patients are processed securely."

The ICO has required the trust to sign a document that binds it to a number of internal security improvements. For example, staff will have to be retrained, and any device that is used to store or transmit personal information must be encrypted.

Failure to comply will lead to further ICO intervention.