ICO warns NHS trusts not to store sensitive data on unencrypted USB sticks

Storing sensitive personal data on unencrypted data sticks is a risk NHS trusts “should not be willing to make”, the head of enforcement at the Information Commissioner’s Office has said.

Mick Gorrill’s comments came after the ICO ruled that East & North Hertfordshire NHS Trust breached the Data Protection Act when an unencrypted USB stick was lost by a junior doctor on a train journey home.

The doctor used the stick to record details of patients’ conditions and medication before handing over to the next doctor on shift. The stick was taken home accidentally with the intention of forwarding the data electronically. It has never been found.

The trust was informed as soon as the doctor realised what had happened. Enquiries by the ICO found that they had not been aware of East & North Hertfordshire’s data protection policies. The doctor did not have access to email so could not receive policy reminders or updates.

The ICO’s investigations also revealed that:

• the trust’s policies on using USB sticks were unclear, and
• no technical measures were in place to prevent misuse of portable devices.

The trust’s chief executive has since given an undertaking, agreeing to ensure its policy on portable devices is clear and communicated to all staff. East & North Hertfordshire will provide training to all staff with access to personal information, and also monitor compliance.

Gorrill said: “If it is vital to store information for handover, this must be done with the highest security measures in place. Furthermore, it is vital that employees are fully aware of processes which could have prevented this incident from occurring."