NHS Trust and building society guilty of data breaches

The Yorkshire Building Society and Royal Wolverhampton Hospitals NHS Trust have been rapped by the Information Commissioner's Office for losing unencrypted data
Written by Tom Espiner, Contributor on

The Yorkshire Building Society exposed a substantial number of customer details in a data breach, according to the Information Commissioner's Officer on Thursday. This follows a ruling on Tuesday by the UK's data protection watchdog against the Royal Wolverhampton Hospitals NHS Trust over lost patient records.

The financial customer data was on an unencrypted laptop stolen from the offices of Chelsea Building Society (CBS), which recently merged with Yorkshire Building Society (YBS). The laptop was taken from the head office of CBS, Thirlestaine Hall, on 19 April, soon after the two societies merged.

A CBS employee had been doing marketing analysis on the laptop, which was then passed to a CBS manager. The manager left the laptop under his desk in a carry case, with the passwords written on a piece of paper, also in the case.

"It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords," said ICO head of enforcement Mick Gorrill said in a statement on Thursday (PDF). "What's more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided."

Private investigators employed by the Yorkshire society, which was the data controller at the time, recovered the laptop after a couple of days. The building society performed a forensic examination which determined that the thief had not accessed the customer data, said the ICO.

A YBS spokesman said on Thursday that the stolen data related to CBS customers' mortgage and savings accounts.

"No customer passwords, PIN numbers or third-party bank account details were contained within this information," the spokesman told ZDNet UK.

YBS chief executive Iain Cornish signed an agreement with the ICO (PDF), which states that all YBS portable devices are encrypted, and that staff will only have access to personal data that is necessary for their work.

On Tuesday, the ICO said it had found Royal Wolverhampton Hospitals NHS Trust in breach of the Data Protection Act (DPA) after it lost 112 patient records on a CD left at a bus stop.

The patient records, from the Intensive Care Unit of New Cross Hospital's Heart and Lung Unit, were found in May, according to an ICO press release (PDF). The unencrypted CD was discovered at a bus stop near the hospital and had no password protection.

The trust carried out an investigation, but was unable to say how the CD had been made, according to an ICO enforcement document. The trust identified procedural difficulties, including a lack of timeliness in recalling patient charts released to consultants.

It has also signed an ICO agreement, with provisions that include ensuring that patient charts released to consultants are signed for on receipt and chased for return after one week.

The NHS is the organisation which reports the most data breaches to the ICO, the watchdog said in June.

Editorial standards