Doctor leaves patient details on tube

19 Oct 2010 - Responsible action protects patient privacy

A doctor at North West London Hospitals NHS Trust breached the Data Protection Act by leaving medical information about 56 patients on the tube.

The incident, which was reported to the ICO by the Trust in May 2010, occurred when a doctor printed out personal and diagnostic information about patients to work on at home.

Fortunately the doctor realised realised his mistake and reported the loss to the station supervisor. The documents were found at the train’s termination point and collected by the doctor.
 

"We understand that many health professionals have busy lives and often take work home but simple steps like removing patient’s names from print outs can help minimise the potential for personal data to be lost or otherwise compromised. I welcome North West London Hospitals NHS Trust’s decision to report this breach to us and for the remedial action it has taken to put more effective data protection measures in place." said Sally-Anne Poole, Enforcement Group Manager at the ICO.

Fiona Wise, Chief Executive of The North West London Hospitals NHS Trust, has signal a formal undertaking outlining that the organisation will ensure that personal data is processed in accordance with the Data Protection Act. In particular the Trust has agreed to adopt pseudonymisation techniques, meaning that personal details like patient’s names, will not be contained in print outs.

NETconsent View

It is not just sensitive data stored in an electronic format that has to be stored and processed correctly. This case highlights data breaches of printed matter are taken no less seriously by the Information Commissioner's Office.

Clearly, it is not possible to encrypt printed files. However patient names could have been removed from documents (the ICO's recommended approach) or perhaps the data encrypted and sent by a more secure method from one location to another.

Educating NHS employees about the risks of transferring sensitive patient information from one location to another and ensuring they understand their responsibility to protect such data is crucial.

Communicating correct procedures and processes in a manner that gets the message across is easier and cheaper using automated tools, such as NETconsent.