Hospital agrees to train staff, encrypt equipment
The Information Commissioner’s Office (ICO) has taken enforcement action against Hastings and Rother hospital following a breach of the Data Protection Act. This is the eighth time the ICO has taken enforcement action against a National Health Service organisation for breaching the Data Protection Act since November 2008.
A computer was stolen from Hastings and Rother hospital containing sensitive personal information on patients. The building where the computer was kept did not have adequate security measures in place and the data controller had previously expressed concern over the lack of physical security.
The ICO has required Hastings and Rother hospital to sign a formal undertaking outlining that it will process personal information in line with the Data Protection Act. The hospital authorities will ensure staff are adequately trained and will encrypt all office equipment and mobile devices used to store and transmit personal information.
Eduardo Ustaran is the head of the Privacy and Information Law Group at Field Fisher Waterhouse LLP, based in London. He is a member of the IAPP Education Advisory Board, co-chair of KnowledgeNet London, editor of Data Protection Law & Policy and co-author of E-Privacy and Online Data Protection. He may be reached at eduardo.ustara