ICO raps Manchester hospital and London Ambulance Service after major data breaches

The Information Commissioner's Office (ICO) has chastised a Manchester hospital and the London Ambulance Service for failing to make staff aware of data protection guidelines after the loss of sensitive information on patients.

A student on placement at the University Hospital of South Manchester put details of 87 patients on an unencrypted USB stick for research purposes, but the device was lost when the student moved to another placement in December 2010.

An ICO investigation discovered the hospital assumed the student had received data protection training at medical school, and did not therefore provide training during an induction course.

The hospital has agreed to change its policies to ensure that personal information accessed by staff working at the hospital is kept secure.

Sally Anne Poole, acting head of enforcement at the ICO, said that the case underlines the need for healthcare providers to inform staff of all necessary data protection policies.

"Medics handle some of the most sensitive personal information possible and it is vital they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations," she said.

"NHS bodies have a duty to make sure that staff - permanent and temporary - understand their responsibilities on day one in the job."

Meanwhile, the London Ambulance Service has signed an undertaking with the ICO after a contractor breached the Data Protection Act when a personal laptop containing information on 2,664 patients was stolen from his home.

The Service has agreed to change its policies so that all staff know that personal devices must not be used to store sensitive information.

Poole said that both cases highlight a continuing need for the ICO to liaise with public health organisation to make them aware of their data protection obligations.

"We will continue to work with healthcare bodies and education providers to make sure data protection training is a mandatory part of people's education," she added.