A WATCHDOG has ruled the NHS Trust in charge of Lister Hospital in Stevenage to be in breach of the Data Protection Act after a junior doctor lost a memory stick containing “sensitive personal data” of hospital patients.

The Information Commissioner’s Office (ICO) made the ruling against the East and North Hertfordshire NHS Trust last week.

The unencrypted memory stick contained details of patients’ conditions and medication, and should have been passed to the next doctor on shift.

But the junior doctor accidentally left work with it, had intended to forward the data electronically, but lost the device on his train journey home.

The memory stick, which was lost in May this year, has never been recovered.

An investigation by the ICO has revealed that the Trust’s policy on the use of personal memory sticks was not clear, and no technical measures were in place to prevent misuse of portable devices.

Nick Carver, chief executive of the Trust, has signed an ICO agreement to ensure the Trust’s policy is made clear, to provide training for all employees who have access to personal information, to implement safeguards, and to regularly monitor for compliance with security procedures.

Mick Gorrill, head of enforcement at the ICO, said: “Storing sensitive personal data on unencrypted data sticks is a risk Trusts should not be willing to take.

“If it is vital to store information for handover, this must be done with the highest security measures in place.”

A spokesman for the Trust put the data loss down to “human error”.

“We take our responsibilities to patients very seriously, and have completed the implementation of a secure IT system that only supports secure, encrypted devices and does not support the use of non-Trust equipment,” she said.

“This system is now being used securely and consistently across the Trust.”

She added: “We do not believe this event put patients at risk and we will continue to be vigilant in the protection and care of our patients’ information.”