Mid Staffs NHS Foundation Trust is one of the latest organisations to agree to give an undertaking to the Information Commissioner as a result of a data protection security breach. However, the circumstances of the breach are, we suspect, so routine that almost all organisations could learn from it.
This was not the standard “lost/stolen laptop” or “lost USB key” breach, but involved an eager member of the Trust’s (human resources) staff sending (sensitive) personal data to a home computer to finish off some work at home. The personal data was not encrypted or secured by a password. This transfer was in breach of the Trust’s policy, but the lack of physical security measures to prevent the transfer was heavily criticised.
I strongly advise organisations to avoice instances where employees can download and transfer personal information to home computers.