The National Health Service in the U.K. came under fire this week, when it was chastised by the Information Commissioner's Office for losing sensitive data relating to 87 patients.
According to the ICO, the University Hospital of South Manchester NHS Foundation Trust violated the nation's Data Protection Act when a medical student copied data onto an unencrypted memory stick for research purposes. The student, who was training at the hospital's burns and plastics department, reportedly lost the stick last December.
Rather than pointing fingers at the student, the ICO has laid the blame on the NHS, asserting that the hospital had mistakenly assumed that the student had received adequate data security training – which, evidently, was not the case.
The issue of data security training has been a significant one for the ICO recently. Last week, the Scottish Children's Reporter Administration was reprimanded by the ICO for poor data protection practices after it was revealed the SCRA had exposed sensitive information on children on two separate occasions. In response, the ICO noted that the SCRA was taking steps to keep employees abreast on data security best practices.
The University Hospital of South Manchester NHS Foundation Trust is taking a similar approach to data protection. According to the ICO, the hospital has agreed to educate students about data protection policies, among other steps.
"While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education," said the ICO's acting head of enforcement Sally Anne Poole in a press release.
Poole pointed out that data protection practices for healthcare providers are especially important, given the amount of sensitive information the organizations handle. To achieve compliance with various regulations and avoid potential fines, healthcare organizations must be mindful that they are not putting patient data in harm's way.
This isn't the first time the NHS has run into trouble with the ICO in recent months. In July, the ICO released a statement asserting that health service organizations need to improve data security practices after it was revealed that five NHS bodies had violated the Data Protection Act. However, evidently, the practices have not improved as quickly as some would hope.