Hospital staff travelling on bus with medical records - possible data breech?

[Notyouthful]

I visited the hospital this morning and bus service I use the start/end of the route are two hospitals. Got on the bus about halfway on the route to the bigger of the two hospitals. On the bus, was a hospital worker - guessing in the records office with a trolley with numerous patients' files in it. There was no cover on it and could see the name and address of the top file.

Surely that is a breech of data?

It's only a problem if there was more than just a name visible. People's names are in the public domain and a folder with the name Matthew Jones on it tells you nothing. If you could see his address, date of birth and diagnosis that's bad.

I used to run a clinic out at a rural surgery and my records had to be carried between hospital and surgery in a locked case.

The outer of the file has a sticker which has name, address and DOB as seen mine plenty of times.

Only opening it reveals what department(s) patient is/was under.

I often wonder this when you line up to book in at hospital clinic for eg - you give your name, dob, registered GP, mobile phone number etc etc - everyone there can hear everything you say!

Took DC to an MIU recently and I knew what the reason for being there was for everyone who booked in after us.

The same as when I have birth - I could have given you a detailed medical history and all personal info for the other women in the bay. Curtains aren't sound proof.

Yep - a data breach is any security incident which affects the confidentiality, availability or integrity of personal data - so you being able to see a name, address, date of birth is a breach of the confidentiality of the data.

The hospital should have in place technical and organisational controls to safeguard all personal data it holds - which it clearly has failed to implement here.

As it wasn't your data, there won't be very much they can tell you about it - but do drop an email to their Data Protection Officer to let them know what you saw - that should prompt them to improve their processes.

Was it a public bus or a hospital 'hopper'? If it was a hopper then that would be acceptable as it's mainly used for staff, a public bus is unacceptable though. I would complain.

They absolutely need to be transferred securely. I would take a photo and complain.

It’s a hospital hopper but route isn’t the most direct. It stops at a retail park en route and other people who aren’t going to hospital (work, appointments, visiting) use it to go to/from retail park!

Yes it's a breach if you could read a name. Using the bus for transporting notes isn't...its a risk but not a breach.

I agree with PP about verbal breaches at reception desks. It's appalling

I would be tempted to ring and speak to the security department. I would stress that you are not making a complaint but you witnessed xyz and thought they should be aware and then if it happens again make a complaint

It is a data breach . Contact the information governance lead or Google caldicot guardian and the trust name. There will be contact details for the person to report this to

When I was a ward clerk we would send paper note files around internally with a cover sheet to hide any personal details on stickers, never mind outside the site!

Definitely a data breach and should be reported.