According the ICO, which has sought formal undertakings from the NHS body, the data was lost after a medical student working in the hospital's plastic and burns department, then copied patient data onto a personal, unencrypted memory stick for research purposes. The memory stick was then lost by the student after he was posted to a different NHS unit.
The ICO says its investigation revealed that the hospital had assumed that the student had received data protection training at his medical school and therefore did not provide them with the induction training given to their own staff.
The hospital has now agreed to take significant steps to ensure that the personal information accessed by students working at the hospital is kept secure. This includes making sure all students are aware of data protection policies.
Sally Anne Poole, the ICO's acting head of enforcement said that the case highlights the need to ensure data protection training for healthcare providers is built in early on, so that it becomes second nature.
“Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff - both permanent and temporary - understand their responsibilities on day one in the job”, she said.
“[Whilst] we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people's education”, she added.
Commenting on the case, Chris McIntosh, CEO of ViaSatUK, said that the Manchester NHS losses demonstrate the risk of a complacent approach to data protection as well as the need for training to be carried out across all levels within an organisation.
“There is little point in having a policy in place if it is not adhered to by everyone”, he said, adding that sensitive information on patients needs to be secured and if they are stored on portable storage devices, these devices need to be encrypted.
McIntosh, who has previously been vociferous in his criticism of ICO penalties, went on to say that data protection training needs to be instilled at an early stage for those working with sensitive data in the same way that health and safety training is undertaken before staff begin work across all organisations.
It should, he explained, also be transparent who has and who has not received this training so that presumptions are not made, rules are adhered to and the risk of further losses like these are prevented in future.
Over at CyberArk, meanwhile, Mark Fullbrook, the security firm's director, said that, at a time when so many new doctors will be joining the ranks of the NHS, this story is hardly encouraging.
“The NHS holds arguably the most sensitive of our personal information and, at the very least, we expect it to protect this data adequately and to train its staff, and indeed anyone it works with, to treat this information with the respect it deserves”, he said.
“In this case, it is particularly disappointing that it was simply assumed that the student had received data protection training. Given the importance and sensitivity of the information in question, this should have been checked properly and addressed immediately”, he added.