The first theft involves a laptop computer stolen from an NHS training body last November. The machine, which belonged to NHS Education for Scotland (NES), was being used to test a new medical recruitment website. In order to carry out the tests, the developer had copied the records of 6,377 people who had applied for medical posts. Since the machine was never intended to leave the premises, the information was left unencrypted. Under the policy that applied at the time, it did not qualify as a 'mobile device' and therefore was not protected as such.
In the statement, Wright said: "This incident involved the theft of a laptop, belonging to NES, from an office within NES premises at Ninewells Hospital at some time between the evening of November 28 2008 and the morning of December 1 2008. NES staff is confident that this office was locked at the close of business on November 28. A police investigation into the incident has proved inconclusive; Tayside Police does not expect any further progress."
Wright went on to explain that the laptop contained the personal data of 6,377 individuals, all held within an SQL database file. "This personal data consisted of summary descriptions of applications for medical training positions, and included information such as the names, addresses, phone numbers and General Medical Council reference numbers of the data subjects. The personal data also included equality and diversity monitoring information. This information was a superseded data set that was being used to test a development version of a medical recruitment website," he said.
The ICO took the view that the information was sensitive enough to warrant more protection, but agreed not to take further enforcement action against NES in exchange for assurances that it will tighten up its data theft prevention procedures.
The assurances are outlined in the NES's public undertaking and include a commitment to encrypt all personal data held on portable and mobile devices, as well as other portable media.
In addition, NES undertakes to ensure that "staff are aware of the data controller's policy for the storage and use of personal data and are appropriately trained on how to follow that policy."
The second case involves the theft of customer data from a commercial database by an employee who was leaving to start his own company.
The High Court this week heard the case of Richard Braachi, who had emailed his company's customer file to his private email account before leaving to start his own conferencing company.
Braachi had worked for First Conferences between 2006 and 2008. The company claimed he took sales and contact information from its databases and used the data to organise a rival conference.
The court agreed, and found that in copying the contacts and sales information to his private email account and using them as the basis of his own business, Braachi breached article 16(1) of the Copyright and Rights in Database Regulations 1997.
The court also found that Braachi had transferred the domain name theforecaster.com from First Conferences to his new business without permission.