Organisations lose confidential data

Two notebooks containing confidential information about NHS patients and council staff have been stolen.

One was owned by the Dunstan Medical Centre in Bolton, and contained medical details of patients.

The other belonged to St Edmundsbury Borough Council, and contained bank and national insurance details for 1,380 people on the council's payroll. Both were stolen in residential burglaries.

When Computeractive contacted the two organisations both said they had informed the people whose data was stolen, and that the notebooks had multiple password security systems in place.

A representative for Bolton Primary Care Trust EHI Primary Care, which oversees Dunstan medical centre, told Computeractive: "Our policies were already up to date but we have learnt our lessons and will continue to revise them."

Following the breach it sent out a reminder to staff and GP practices about security and confidentiality when using notebook computers. This included providing users with appropriate access protection such as passwords. It also said that notebooks should not be left unattended in public places or in cars.

However, according to the security company PGP Corporation, these security measures are not enough.

Jamie Cowper, a representative for PGP, said: "It is disturbing that two organisations handling such sensitive information on a daily basis still rely on simple passwords for data security."

He also said that locking away laptops when not in use is ineffective when dealing with today's threats.

"Locks can be broken and passwords can be hacked. If Bolton Primary Care Trust and St Edmundsbury BC had implemented an enterprise-wide encryption policy, employees could take laptops off-site with the assurance that, even if their device was lost or stolen, the data would remain inaccessible."

The Information Commissioners Office (ICO) would not comment on the two cases individually, but agreed that encryption was a key part of the security process. It said that any lost or stolen notebooks that were reported to be unencrypted could be subject to enforcement powers. The ICO's powers allow it to issue organisations with a warning and, if it conducts an inspection and finds that data is not being adequately protected, take the organisation to court.

A representative for the ICO told Computeractive: "Organisations that process personal information have an obligation to handle that information in line with the eight data protection principles, one of which is that it must be kept securely.

"Customers, clients and employees should be able to feel confident that their personal information is protected," she added.

Neither organisation would comment on why they did not use encryption to secure their notebooks.