Northern Irish nursing home Whitehead Private Nursing Home Ltd has been fined £15,000 by the Information Commissioner’s Office (ICO) over a data breach involving employees’ and residents’ sensitive data, as stated in this ICO report.
Unencrypted laptop brought home and stolen during break-in
The data breach was the result of an unencrypted laptop being brought home by a member of staff and subsequently stolen during a burglary. While the theft was reported to the police, the missing laptop has never been found. It contained personal details of 46 nursing home staff, including medical certificates and disciplinary statements, and sensitive information on 29 residents, including names, dates of birth, information about mental and physical health, and more.
Lack of security policies and staff awareness training at the root of the problem
The laptop was usually kept in an unlocked office to be freely used by nurses during their shifts, and was regularly taken home to complete work, and, on the night it was stolen, stored in a bag left in the living room. Based on these facts, the ICO found the nursing home in breach of the Data Protection Act (DPA) due to “inappropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss of personal data”. In detail:
- Use of an unencrypted device off-site;
- Lack of any policy governing the use of encryption, homeworking and the secure storage of mobile devices;
- Lack of security awareness training for staff.
Carrying out a staff awareness programme is simple with e-learning courses.
Staff awareness training should be an ongoing and iterative process to make sure staff are aware of information security policies and compliance requirements, thereby reducing the risk of security incidents. Opting for staff awareness e-learning courses brings benefits by minimising disruption to everyday working, providing consistent teaching and outcomes, and learning whenever and wherever your staff prefer.