The Information Commissioner's Office has ruled that Lampeter Medical Practice has breached the Data Protection Act after an unencrypted memory stick containing 8,000 patient details was reported lost.
Patient details were downloaded to a USB that was both unencrypted and non-password protected in March. This was done even though it contravened the practice policy. The memory stick was then posted by recorded delivery to the Health Boards Business Service Centre but failed to arrive and was reported lost.
Despite the breach, the ICO decided against using its recently increased powers to fine organisations up to £500,000 when found to be in breach of the DPA.
In its statement, the ICO confirmed that Dr Rowena Mathew, head of practice at Lampeter Medical Practice, has agreed to take remedial action by ensuring that sufficient steps are taken to make sure no future security breaches occur.
This will include making sure all mobile devices including laptops and memory sticks are encrypted, and that staff are fully aware of the organisations' data security policy.
Sally-Anne Poole, ICO enforcement group manager, explained that staff must always be made fully aware of an organisation's policy for securing personal data.
"Information should always be encrypted to prevent it being accessed in the event of loss or theft," she added.
"I am pleased Lampeter Medical Practice has agreed to take action to prevent a similar security breach happening again."
The ICO has been forced to act in consecutive days. The West Berkshire Council was also forced to take remedial action after it lost a USB stick containing personal information about children, it was revealed yesterday.
An ICO investigation uncovered that unencrypted devices from 2006 were still being used by members of staff, despite the council adopting a policy to use encryption tools that same year.
It was also revealed that staff had not received appropriate training in data protection issues and monitoring of compliance with the council's policies was found to be inadequate.
Nick Carter, chief executive of West Berkshire Council, signed a formal undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted. He also agreed to make sure that staff will receive the necessary training.
This is the second data security incident reported by West Berkshire Council within six months.
The latest breaches show that the public sector organisations have been slow to adopt rigorous data protection policies.
The incidents also show that the privacy watchdog seems content to play an educational role, based on how it chose to handle the two situations. Both the West Berkshire Council and Lampeter Medical Practice effectively escaped with a slap on the wrist.
While the loss of 8,000 patient records is small when compared with the 51,000 details lost by Zurich Insurance in 2008, and the massive HMRC breach, it is not an insignificant amount. A small fine could have been an option to set a good example and help to make organisations aware of their responsibilities.
It will be interesting to see where the ICO draws the line on breaches and exactly how much data has to be misplaced before it uses the full extent of its powers.
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady
Samsung's under-the-hood improvements separate the S9 from the pack when it comes to the display