A medical student on placement at a hospital transferred personal information of patients onto an unencrypted medical stick to continue the research after the work placement had ended. The student had been provided with an encrypted memory stick with the personal information of patients related to the research and was asked to continue the research on completion of the placement. It was at this point the student transferred the information to a personal unencrypted memory stick which was subsequently lost. The University Hospital Trust had assumed that training in data protection was done at medical school and did not provide induction training.
The outcome was a breach of the Data Protection Act 1998 and an undertaking by the Hospital Trust which includes provision of:
· Appropriate induction training of students at the beginning of a placement
· Awareness of and training in how to follow the policy for the storage and use of personal data and specifically with regard to portable devices
· Appropriate and regular monitoring for compliance of access to personal data for non-clinical purposes such as research and education.
Although it is clear that in this situation, the responsibility for compliance with data protection law lay with the Hospital Trust, situations may arise where it is less so where university research staff are involved with external organisations. Responsibility for compliance with data protection law should be considered by universities and colleges at the outset in their research and other agreements. This undertaking indicates that good handling of personal data is as relevant as ever and requires appropriate training and regular monitoring in the workplace to ensure compliance.