A SECOND data breach has been reported by the trust which runs Basingstoke hospital, after personal data of 1,000 members of staff was shared.
Details of the breach which was reported to the Information Commissioner’s Office (ICO) in July, have come to light in meeting papers published by Hampshire Hospitals NHS Foundation Trust (HHFT) online.
It is the second breach reported to the ICO by the trust between April and September this year.
The other breach was discovered by the Gazette in August, which saw personal details of women who had suffered a stillbirth published online.
The trust has now published a report on both incidents to its board of directors, detailing what action it has take as a result.
The breach in July saw a spreadsheet containing an unnecessary amount of personal data of 1,000 members of staff shared with senior managers within the trust for them to disseminate across their divisions.
The ICO did not take enforcement action but did recommend that HHFT makes available to all staff a documented process for checking attachments contain correct information, and an ongoing review of the effectiveness of this process.
The trust also made its own recommendations, which included that the team involved review and discuss the data security and protection policy to confirm their understanding; improve communications within the team in respect of allocating tasks; password protecting sensitive data prior to release; improve practices around sending emails; and updating all department policies to include a data security and protection statement.
In relation to the stillbirth breach, HHFT apologised for the distress caused to the women affected, which saw their details including previous miscarriages and pregnancy terminations, published in online papers.
The matter was reported to the Information Commission’s Office (ICO) by the trust after it was informed by the Gazette.
Again, the ICO decided not to take enforcement action.
The ICO instead recommended the trust ensures consideration is given to redacting material made publicly available, depending on its nature and content; and that it reviews its training on checking and redacting.
The trust reported that it looked at the cause of the incident and made its own recommendations, which included having a mandatory procedure for board report papers; tailoring training for secretariat; creating a mechanism for highlighting that personal or patient data has been included, and whether this has been approved by the director; and the secretariat contacting the data protection officer for advice when needed.