While London Ambulance Services breaches Data Protection Act after laptop theft The Information Commissioner’s Office (ICO) has found the University Hospital of South Manchester NHS Foundation Trust in breach of the Data Protection Act (DPA) after losing an unencrypted USB key containing patients’ personal data.Sensitive personal information relating to the treatment of 87 patients at the hospital was lost after a medical student copied data onto a personal, unencrypted memory stick – provided by the Trust – for research purposes.The student was on a placement at the hospital’s burns and plastics department at the time, and lost the stick during another placement in December 2010.Following an investigation, the ICO found that the hospital did not provide students with induction training, including DPA-related training, which it gave to its own staff. The hospital assumed that the student had received data protection training at medical school. The University Hospital of South Manchester has now signed an undertaking to ensure that all students are aware of data protection policies, to keep personal information accessed by students secure.Sally Anne Poole, acting head of enforcement at the ICO, said: “This case highlights the need to ensure data protection training for healthcare providers is built in early on, so that it becomes second nature. “NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job.”Separately, the London Ambulance Service NHS Trust has also today signed an undertaking after it was found to have breached the DPA when a personal, unencrypted laptop was stolen from a contractor’s home.The laptop contained personal data and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. However, it did not contain medical records.Although the contractor had legitimate access to the records, the member of staff had emailed them to a personal account for working from home, which led to the breach of the Trust’s policy, and then downloaded the information onto a personal, unencrypted laptop.The London Ambulance Service has now agreed to ensure that all staff are made aware of the Trust’s data protection policies. Related content feature What’s a cyber incident response retainer and why do you need one? Whether you need to hire a team to respond to any and all cyberattacks or just some hired guns to boost your capabilities, incident response retainers can ensure you’re covered. By Linda Rosencrance Sep 27, 2023 8 mins Cyberattacks Cyberattacks Cyberattacks brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe