Your practice manager downloaded data including patient names and dates of birth to her personal laptop to work on at home. The computer was stolen after a break-in. What should you do?
It is advisable to contact the patients concerned to apologise for the loss of the data, explain the extent of the loss and to offer a meeting to discuss any concerns they may have.
The Department of Health has recently published a checklist for reporting, managing and investigating accidental losses of data such as this [1].
It recommends that the loss of personal information that could lead to identity fraud should be treated as a 'serious untoward incident' so that lessons can be learned from it. It also recommends that it may be necessary to report the loss to the PCT or Information Commissioner, depending on the amount of data lost.
The Data Protection Act 1998 imposes a legal duty on those responsible for personal data to ensure it is held securely and protected from unauthorised or unlawful processing. Practices are also contractually required to nominate a person with responsibility for confidential data procedures.
To reduce the risk of accidental confidentiality breaches, the MDU advises practices, where possible, to avoid storing patient identifiable data on personal computers, personal mobile devices and memory sticks.
The Department of Health has said that ‘wherever possible, person identifiable data should always be stored on a secure server' [2].
Dr Wendy Pugh is a medico-legal adviser at the Medical Defence Union
credit: Arbron, Flickr MDU
