A Scottish health board has been rapped by data protection chiefs after a memory stick containing “sensitive” information about patients and staff was found outside a supermarket.
The Information Commissioner’s Office (ICO) found Forth Valley Board in breach of the Data Protection Act (DPA) after the incident in early May.
The unencrypted memory stick, which had no password protection, was found by a 12-year-old boy outside the Asda store in Stenhousemuir, near Falkirk.
It reportedly contained the criminal histories of some violent patients as well as details of staff at the Tryst Park unit at Bellsdyke Hospital in Larbert, Stirlingshire.
Tryst Park is a medium-secure unit providing long-term care for adults with severe mental health problems.
Inquiries established that the information had been uploaded by a member of staff on to a personally owned memory stick that was then lost or stolen.
Forth Valley has now signed a formal undertaking agreeing steps to improve its data protection methods.
If it does not comply it could face legal action which may involve a fine.
Ken Macdonald, assistant commissioner for Scotland at the ICO, said: “This case highlights the importance of health bodies complying with the Data Protection Act when storing and transferring patients’ sensitive personal information.
“All staff members should be fully aware of the policies and procedures in place to safeguard personal information to stop it falling into the wrong hands. I am pleased the organisation is taking remedial steps to ensure such an incident does not happen again.”
As part of the undertaking it has signed, Forth Valley has agreed that the organisation will only use portable and mobile devices issued by the board to process personal data.
From 31 December, any new devices the board issues will be encrypted using encryption software.
The board will also implement a number of security measures to protect personal information more effectively, including physical security measures to prevent data being uploaded on to any unauthorised mobile device.
All staff members will be made aware of the policies and procedures in place to safeguard personal information.
A Forth Valley spokeswoman said: “We have already taken action to improve the security of patient information and are committed to ensuring all of the recommendations made by the Information Commissioner are addressed.”