Advice line dilemma - laptop theft

Laptop theft case study

An ST1 in anaesthetics emailed the MDU after her laptop was stolen during a break-in at her flat. Her training log, with details of all the cases from the start of her training, was stored on the machine.

She immediately reported the theft to the police, but was very anxious as a friend in another trust had recently received a written warning for breaching the trust's data protection policy.
The doctor wanted advice on whether she had a duty to report this loss to the trust or to any other body and whether she might face disciplinary action.

MDU advice

The adviser asked the doctor to clarify exactly what information she held on the laptop and what security had been in place. The doctor confirmed that any patient cases she had stored were identified only by hospital number and date of birth, and that her laptop was password protected.

The adviser recommended that the doctor check her trust's data protection policy to make sure that she had complied fully with that and inform them what had happened. This should also help pre-empt any difficulties should the media learn of the incident and publish anything which referred to the trust. As there was no patient identifiable data, there should be no need to report this loss to the Information Commissioner.

After this discussion, the doctor recalled that in her friend's case it was the fact that the lost laptop contained identifiable data which had led to the disciplinary action.

The doctor checked the trust policy and she had complied with this. The trust thanked her for reporting the loss and confirmed it needed to take no further action. Had this data not been anonymised the anaesthetist might have faced a disciplinary investigation by her trust, and the trust may have faced a heavy fine from the Information Commissioner.

Fortunately, the doctor in this case had an up-to-date back-up copy so she had not lost any information which might have caused difficulties with her training.

Learning points

Check that you comply with your trust's data protection policy. 

  • Keep an up-to-date back-up copy of all important information. 
  • Password protect your laptop.
  • Unless you are registered as a data controller under the Data Protection Act 1998 (for example if you set up in private practice) you should not store identifiable patient information on your own systems.
Previous article Next article

This page was correct at publication on . Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.