Ashford and St Peter's Hospital NHS Trust lost three unencrypted memory sticks, containing Word files of the treatment and diagnosis history of a number of cancer patients.
"I urge all NHS organisations to restrict and encrypt the amount of sensitive information stored on portable devices," said assistant ICO commission Mick Gorrill. "In this case, our investigation found that there was a lack of understanding and awareness among staff of their responsibilities under the Data Protection Act."
A member of Mid Staffordshire NHS Foundation Trust's human resources team transferred sensitive personal information on an employee, including data on a previous criminal conviction, to a home computer. The file was neither encrypted or protected by a password.
"I strongly advise organisations to avoid instances where employees can download and transfer personal information to home computers. This incident should never have occurred and could easily have been averted," commented Gorrill.
Andrew Liles and Antony Sumara, the chief executives of Ashford and St Peter's and Mid Staffordshire respectively, have both signed undertakings confirming their trusts will improve information security. Ashford and St Peter's will improve staff training, while Mid Staffordshire will bring in new rules on handling personal data at home.
