Health bosses are investigating after computer discs containing the personal details of nearly 18,000 staff across four NHS trusts in London went missing in the post.

The details of 17,990 current and former staff were lost in July after being marked up to be sent via recorded delivery from Whittington Hospital NHS Trust to the offices of a firm providing payroll IT services.

The trust said that the discs did not contain staff members' personal bank account details, although they did include names, dates of birth, national insurance numbers, start dates and pay details.

Those affected are staff and former workers at Whittington Hospital NHS Trust, Islington Primary Care Trust, Camden Primary Care Trust and Camden and Islington NHS Foundation Trust.

The discs, which are password-protected, should have been posted on July 22, although there was no record of them being sent.

David Sloman, chief executive of Whittington Hospital NHS Trust, said a member of staff had been suspended and an investigation was being carried out. "It is trust policy to send any such information by courier," he said. "To our knowledge this is the one and only time that such information was directed through the post.

Copyright © PA Business 2008

Heledd Lloyd-Jones, a member of Morgan Cole's Information Governance team, comments:

Principle 7 of the Data Protection Act 1998 imposes obligations on all organisations with responsibility for managing personal data to take appropriate technical and organisational measures to guard against the accidental loss of this data. Among other things, data controllers should:

• use appropriate technical security measures to protect personal information (encryption, rather than mere password protection is, increasingly considered necessary to afford an appropriate level of protection to electronically held personal data whilst in transit);
• ensure that contractors (including courier services) engaged to process personal data on their behalf have in place robust systems to safeguard the integrity and security of the data concerned;
• use written contractual provisions dealing with data protection related issues whenever services involving the use of transfer of personal information are engaged;
• take reasonable steps where large volumes of data are involved or the data is particularly sensitive to audit the data security systems in use by their contractors;
• report any significant data losses to the Information Commissioner in accordance with ICO guidance "Notification of Data Security Breaches to the Information Commissioner’s Office".

Morgan Cole provides data protection training which is accredited by the British Computer Society that prepares candidates for the examination leading to the nationally recognised ISEB Certificate in Data Protection qualifications. For further information, visit http://iseb.morgan-cole.com.