The Information Commissioner's Office has ruled that Lampeter Medical Practice has breached the Data Protection Act after an unencrypted memory stick containing 8,000 patient details was reported lost.
Patient details were downloaded to a USB that was both unencrypted and non-password protected in March. This was done even though it contravened the practice policy. The memory stick was then posted by recorded delivery to the Health Boards Business Service Centre but failed to arrive and was reported lost.
Despite the breach, the ICO decided against using its recently increased powers to fine organisations up to £500,000 when found to be in breach of the DPA.
In its statement, the ICO confirmed that Dr Rowena Mathew, head of practice at Lampeter Medical Practice, has agreed to take remedial action by ensuring that sufficient steps are taken to make sure no future security breaches occur.
This will include making sure all mobile devices including laptops and memory sticks are encrypted, and that staff are fully aware of the organisations' data security policy.
Sally-Anne Poole, ICO enforcement group manager, explained that staff must always be made fully aware of an organisation's policy for securing personal data.
"Information should always be encrypted to prevent it being accessed in the event of loss or theft," she added.
"I am pleased Lampeter Medical Practice has agreed to take action to prevent a similar security breach happening again."
The ICO has been forced to act in consecutive days. The West Berkshire Council was also forced to take remedial action after it lost a USB stick containing personal information about children, it was revealed yesterday.
An ICO investigation uncovered that unencrypted devices from 2006 were still being used by members of staff, despite the council adopting a policy to use encryption tools that same year.
It was also revealed that staff had not received appropriate training in data protection issues and monitoring of compliance with the council's policies was found to be inadequate.
Nick Carter, chief executive of West Berkshire Council, signed a formal undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted. He also agreed to make sure that staff will receive the necessary training.
This is the second data security incident reported by West Berkshire Council within six months.
The latest breaches show that the public sector organisations have been slow to adopt rigorous data protection policies.
The incidents also show that the privacy watchdog seems content to play an educational role, based on how it chose to handle the two situations. Both the West Berkshire Council and Lampeter Medical Practice effectively escaped with a slap on the wrist.
While the loss of 8,000 patient records is small when compared with the 51,000 details lost by Zurich Insurance in 2008, and the massive HMRC breach, it is not an insignificant amount. A small fine could have been an option to set a good example and help to make organisations aware of their responsibilities.
It will be interesting to see where the ICO draws the line on breaches and exactly how much data has to be misplaced before it uses the full extent of its powers.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago