Two trusts have been found in breach of the Data Protection Act for losing and failing to secure information about patients.
In the first case, a laptop carrying unencrypted data of around 5,000 patients, including health records, was stolen from premises of Abertawe Bro Morgannwg University trust, in South Wales, in April.
The Information Commissioner's Office said it was believed the computer was stolen by an opportunistic thief when an office was left unlocked.
The trust has signed an agreement with the commissioner to encrypt all data in future and improve security.
In the second case, Tees, Esk and Wear Valleys foundation trust lost a memory stick containing unencrypted personal information about patients and staff. The stick was passed to the media, prompting the trust to carry out its own investigation.
Appropriate measures
The organisation has agreed to use only encrypted data sticks, to put in place encryption policy and procedures and to ensure that external contractors are aware of the issues.
Assistant information commissioner Mick Gorrill said: "Even though one case involved the theft of a laptop, the data controller is responsible for ensuring any personal data is adequately protected.
"The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure."
Password protected
A statement from the Abertawe Bro Morgannwg trust said: "The theft took place outside of normal office hours, at a time when the offices would normally be unoccupied and the rooms locked.
"The laptop contained patient identifiable information, but this information was password protected. In addition, documents stored on the hard drive were also password protected."
The trust said it had taken a number of measures to improve security and encryption, however.
A spokesperson for Tees, Esk and Wear Valleys foundation trust said: "Safeguarding patients' confidential information is of the utmost importance to the trust.
"We have already put a number of measures in place to prevent something like this happening again and work to ensure that we comply with all the ICO's requirements is well under way."
1 Readers' comment