Student at Manchester University lost patient details

Updated October 2011

A student at the University Hospital of South Manchester lost sensitive personal information relating to the treatment of 87 patients in December 2010, the Information Commissioner’s Office (ICO) has announced. The data protection breach occurred when the student copied data onto a personal, unencrypted memory stick, which was subsequently lost. An investigation by the ICO revealed that the hospital had assumed that students had received data protection training at medical school, so it did not provide them with the induction training given to the rest of its staff. The hospital has now agreed to take steps to address the breach, including informing all students of its data protection policies. In another incident, London Ambulance Service has agreed to implement a policy that patient information is not held on staff's personal computers, following the theft of a laptop from a contractor's home which contained patient data.

These episodes show the importance of monitoring data protection compliance relating to sensitive personal data, such as individuals' health. The ICO is concerned that appropriate data protection policies and training are fundamental to the operation of organisations whose core activity involves sensitive personal data. Workers in these sectors need to understand the need to keep individuals' data secure at all times, and be aware that placements and rotations at different locations may entail additional safeguards. Organisations dealing with sensitive personal data should ensure their staff, both permanent and temporary (including contractors and students), understand the steps required to maintain individuals' privacy.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.