NHS Education for Scotland (NES) has admitted that the
information was stored unencrypted on a laptop. It said that it was
not intended that the laptop leave its premises.
Privacy watchdog the Information Commissioner's Office (ICO) has
said that it will agree not to take action against the body as long
as it encrypts laptops and portable devices likely to contain
personal data.
The information on candidates in relation to diversity and
equality is likely to qualify as 'sensitive personal data', the ICO
said, which means that it earns greater protection from the
law.
The information was being used to test the development of a
recruitment website and was stored in NES's offices at Ninewells
Hospital in Dundee.
It was stolen from there late last year. "NES staff are
confident that this office was locked at the close of business on
[the day in question]," said the ICO's account. "A police
investigation into the incident has proved inconclusive; Tayside
Police do not expect any further progress."
The ICO said that for each of the 6,377 people, a database on
the laptop contained "summary descriptions of applications for
medical training positions, and included information such as the
names, addresses, phone numbers and General Medical Council
reference numbers of the data subjects. The personal data also
included equality and diversity monitoring information".
NES has said that it will encrypt data on devices, train staff
on its new practices and improve security measures.
“Password protected laptops are not secure," said Ken Macdonald,
Assistant Information Commissioner for Scotland. "I urge all
organisations to restrict and encrypt the amount of personal
information stored on portable devices that can be taken off
site."
"In this case, the stolen laptop contained sensitive personal
information including equality and diversity information. If
personal details fall into the wrong hands, individuals can
experience considerable distress. Safeguarding sensitive personal
information is an important principle of the Data Protection Act.
This case serves as a reminder that all organisations and their
executive teams need to ensure that data protection is treated as
an important part of corporate governance," he said.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
