South London healthcare NHS trust has admitted to a data faux-pas, with the organisation having mislaid two USB sticks which held hundreds of patient details in unencrypted form.
The two incidents were separate from each other, and the first involved the details of some 600 maternity patients. The second was smaller scale, with the memory stick containing data including the names and dates of birth of 30 children.
Apparently, in the first case, an employee had downloaded the data onto the USB stick to work at home with, but was not aware that encryption should have been used.
The ICO noted: "Due to not having received up to date information governance training, the employee was unaware that an encrypted device issued by the data controller should have been used."
The ICO said the data was put at "unnecessary risk", but added that both devices were later recovered, and that it was "unlikely that they were readily accessible during the time they could not be located".
Unlikely, of course, not necessarily meaning that they weren't copied by someone who came across them.
The NHS trust has signed an undertaking to ensure any data leaving the premises on a laptop, memory stick or other portable device has been encrypted, and that company policy regarding the storage of personal data is followed by staff, with appropriate training provided.
Source: The Guardian