No way should an Individual employee be responsible for the total security of data on mobile devices. All I can do as a laptop owner is ensure that it is turned off/locked at any point that it is not in use. if such data is being transported or stored then as the PGP dude said, it is the responsibility of the enterprise and should be encrypted by default.

Give them their job back, and place the blame in the right place, and sort your data security out.

"The unanimous decision of the disciplinary panel sends out a clear statement about how seriously the Trust takes security and patient confidentiality." says Murphy. Well brains, if the Trust took it that seriously they would have taken the steps to roll out encrypted data store. It doesn't have to cost a lot, although, seeing as it's the NHS they will pick the most expensive solution when they eventually get their fat lazy heads around to it. Here's a tip, TruCrypt, it's free as in beer and will stop the average laptop thief stumbling across confidential information. Now there's no excuse.

(The one with 'Angry C*nt' stamped on the back)

springs to mind.

If this chap took a work laptop containing confidential information on holiday, left it unattended in his car, then yes, he should be reprimanded.

Locking the laptop and having it password protected is as much security as can be expected from non-IT staff, but even having it in a position where it is stolen like this is a little daft.

Theft from the home is unforseeable, but leaving it in your car while on holiday is easily avoided.

More to the point ... what was sensitive data doing on an employee's laptop in the first place. All sensitive data should be kept in the database and should not leave site under all but exceptional circumstances (i.e. offsite backups etc) and those circumstances should be strictly controlled and tightly secured.

He left his work laptop, full of valuable data, unsecured in a car whist on holiday. Is that someone else's fault too?

Would make a good TV show for public sector organisations.

The Corporation is at fault for not providing encryption, but also I think the Manager is at fault for leaving his laptop in his car.

Simple rules from the anti-car crime adverts, don't leave it on display, like the sign says on work vans, no tools left in van overnight, my laptop and other media kit are my tools. This manager is also a tool.

Is there any such creature available for the manager to appeal to? If so I'd be on the phone immediately and gouging the hospital for a nice fat settlement based on wrongful dismissal, etc. This was their fault. Then of course I'd go on holiday again with the settlement money.

Hospital manager has his laptop stolen from his car (presumably locked) is sacked.

Mumpet from the government, gets of a train and leaves top secret military plans on a seat is what ? Sacked ? Given a severe talking to ? A dressing down in the golf club...

Whilst I would agree about the encryption side of things, it's possible that he's been disciplined for leaving it unattended in a car - which is quite likely to be against company regulations.

Certainly where I work now (Bank), where I worked before (Telecoms Company), and even the place before that (IT "Services Company", actually an overgrown box shifter) had it specifically listed as something you're not allowed to do.

Of course, we're in the situation where EITHER being fixed would have been 'good enough', so the IT director should ALSO be fired for not having adequate protection in place.

However why are these people allowed to take the data in the first place.

Surely the could do a remote terminal login to a central server that requires user:pass to access data would be a far more secure and simple option that allowing goverment users to allow to take data with them on HDD.

That way if they do have their laptops stolen, and as usual the accounts are unencrypted at least all that will be on the laptop will be a few files and the terminal software with an account that can be changed or deleted instead of GB worth of personal information on joe public.

*\. Mines the one with the folded peice of paper on which is scribbled in a moment of madness "Most people are Fuktards!"

I think that the responsibility in this case is two-fold...the responsibility of the individual to keep his laptop stored securely (i.e. not leaving it in his car) and the responsibility of the board to make sure that hospital data and machines are secure anywhere at any time...not having an encrypted storage device is criminal nowadays as the technology is not immature and not overly expensive or difficult to deploy...for the sake of all, give the man his job back with a reprimand and look at yourselves!

What was he doing with confidential patient data ON HOLIDAY?

Sack him. Oh, they did.

Of course he shouldn't be responsible for the security of the data, but he should be more aware of the ownership of the hardware at least.

If someone takes something belonging to their employer and leaves it unattended in a car then they deserve to be sacked for it, let alone doing it whilst away on holidays.

Work laptop is for work not holidays.

Excuse me. The guy takes confidential data ON HOLIDAY with him and its somehow not his fault? It should not have been on the laptop under those circumstances. Full stop.

If you really believe that its not his fault, then I have this nice bridge over the East River that I'm sure you'll want to buy.

IMNSHO confidential data shouldn't leave the server except as a backup or when its requested item by item by an authorised client program connected by a secure LAN or vpn.

Surely this isn't stil happening? After all the laptops the intelligence services have lost one would like to think that people, especially some of the countries vital organs such as the NHS and government, would have learnt to actually plough money into data encryption and not their bank accounts. surely it's better to have a secure job that doesn't pay as well as it could over a well paid job that lasts a week because someone's after a five fingered discount?

mine's the one with the handbook of common sense in it's pocket....

He's a manager so why does he need patient data? If he's doing analysis on the drug/beds/costs then everything bar name and address would be sufficient. As far as I can tell their is no way that data like this should be shifted off of a central db (where it can be called up fro treatment purposes), this is piss poor data management across the board, idiots like this shouldn't be allowed access to personal data.

Alien because that was data security is to the civil service.

would of been implemented under Fujitsu's plan for the NHS but where seen as "overly complicating things"... which says a lot about the support that FJ had from the client really doesn't it?

the N.H.S is its own worse enemy, the management has no back bone to enforce these things and when something like this happens they make a scape goat out of the nearest person.

I think you'll find the fact that it had confidential data on it was inconsequential. He just needed something that would play DVD's to keep the kids quiet for the long drive up to Edinburgh!

Sack him!

Let me provide some needed insight that a few commenters are missing and shine a light on the human drama, without plugging encryption tools.

Just before this manager left work for his well deserved holiday there were some pretty important reports to be finished that no one else could be bothered with at the time. Looking back volunteering for this task was a bit stupid, but the silence at the meeting was a bit awkward and embarrassing at the same time. "Yep. I'll have a look at those" was out before he realized it and he forgot about the upcoming holiday. His wife however, was not so forgetful and was p-ed off by the appearance of the laptop when they packed the car. It took miles before that subject finally died, leaving the manager exhausted trying not to look like the sucker, without playing the NHS budget card.

When they finally arrived at their holiday destination, the laptop was one of the first items the manager wanted to secure, if the dog had not escaped to freedom.The oncoming traffic barely missed the dog. The screeching of tires was deafening and the horror on the kids' faces spoke books. Seeing our manager clumsily with the laptop in his hands whilst the dog nearly getting killed was a picture that infuriated the misses. This was not a good start. Quickly the laptop was tossed in the back of the car and the dog's leash picked up from the road.

Later that day, on a terrace with a half-downed pint in his hands, the manager's mind wonders off to another meeting earlier this year when encryption was discussed. "Policies is what we can afford, no techie tools or fancy consultants and their software". This was the official guide line and there was no support for spending budget on eventualities.

Now the kids and the dog come running back from the parking lot looking all excited, bless them.

Luckily our company does not deal with the general public, but the chances of our PHB being able to encrypt data are slim. I got called in for at least the fifth time yesterday to show him how to copy & paste.

No. Really. I'm serious.

.... just wish my company would implement this sort of policy. Leaving laptop in car = breathtaking stupidity that is pretty much inexcusable. Even if the bloke was pressured into working on his vacation (and that seems to be entirely conjecture), *anyone* who gave a damn about their job would at least attempt to take better care of company equipment. If the hospital has not implemented an appropriate data security policy, then there is certainly a question of where that responsibility lies, but that does not provide *any* excuse for this sort of behaviour.

My first reaction to the headline was "at long last, somebody's been held personally liable for data loss" but reading earlier comments has made me reconsider my bloodthirsty attitude.

It's clear, in a fuzzy, foggy, vague sort of way, that there is no established protocol covering the use of what, for lack of a better word, we can call "confidential data." By this, I mean an established, universal protocol applicable to enterprises of all sorts, not just the Colchester Hospital, the NHS, or medical operations in general.

Such a protocol might include, for example:

1. Stipulation of a confidentiality level for every data item on file. Names, DOB, ID numbers, telephone numbers, addresses would be among the more highly confidential items.

2. A need-to-know policy that relates all uses of data to the confidentiality level. For example, if a statistical study is carried out, none of the highly confidential data would be available. But note, otoh, that an office receptionist must know names and telephone numbers, among other things.

[PS: points 1 & 2 are written vis a vis medical records. In the business world, proprietary data would also be of the highest confidentiality, but would also have to be available for some statistical analyses.]

3. Universal provision of server space so data is never stored on a laptop or desktop system.

4. A review of this insane idea that one is on the job 24/7/365. Let's have a one-to-one correspondence between hours in the office and hours of work, no work outside those hours at all. IOW, no work at home, while commuting, while on vacation, etc.

5. Hardware solutions like diskless systems, blocking portable storage devices, no individual burning of CDs, etc. Alternatively, if a local disk is essential (not merely something a Big Boss craves), rollout of new machines should include installation of full disk encryption

This is the merest skeleton of such a protocol; I'll leave it to the more highly tuned brains of others to flesh it out in detail and turn it into a viable standard. [And yes, I've repeated points made in earlier comments. No claim for originality.]

The barriers to estabilshing such a protocol and to its implementation are two-fold. First of all, the existing standards mechanism such as the ISO is beyond clumsy and awkward, being a committee effort. I almost have more faith in the one-man RFC than the ISO approach to the formulation of standards.

Second, management are meatheads. Management ranks in many, perhaps all, enterprises of all sorts, are filled with those who have reached, and in many instances risen above, their respective levels of incompetence. Perhaps the only solution is to stipulate that organizational heads are personally responsible, and it's up to them to ensure that the managerial ranks under them fully understand and buy into such standard protocols. IOW, if you are a CEO and not a meathead yourself, you'll have to get rid of the meatheads under you. You can always put them to work swabbing out toilets. Boards would have to be responsible, at risk of dismissal, for ensuring that their CEO isn't a meathead himself.

This second barrier is more severe than it might seem. My own experience is that once an idiot manages to weasel himself into the ranks of management, he becomes an untouchable: no matter what his failures and misdeeds and incompetencies, he will never be fired, not even demoted.

Apologies for an overly long, rambling comment. I hope it provokes further thinking by the tribe of El Reg readers.

Too bad there's no "won't shut up" icon for longwinded screeds like this one. Ballmer will have to do.

To try and mitigate the fool vs scapegoat argument I thought I'd offer the following.

While contracting I had a home/work insurance policy. This covered contents for household, business and travel risks and avoided issues about is X a personal or business posession. It even covered my laptop UNLESS it was unattended/insecure.

Cover was explicitly excluded from a locked motor vehicle which counted as INSECURE.

While this may not apply to every policy I would have thought just leaving the laptop in the car was enough to take blame for the loss of the laptop. To do it with patient data on it is mad. I also wonder why a MANAGER would need to travel home with UN-ANOMYMISED clinical data. For that part the NHS should take the blame, they would not have done it (hopefully) when you only had one paper file for all your patient notes.

He's a manager, what's he doing with thousands of patient treatment records?

The fact that the data is on his laptop (irrespective of encruption or theft status) should be a disciplinary offence.

You really can't fault the guy for leaving his laptop in the car. That's not the real issue here. He left it in a secure location (behind a locked door) and that's responsible enough. Different story if he left it out in the open for anyone to take -- now we're talking gross negligence.

The problem comes from not encrypting the data and making reasonable safeguards against third-party access. The ones who should be disciplined are the company's IT staff (assuming that this guy's not on that -- if he is, well, yer fault buddy!). They gave him remote access to company data that should be secured properly in the first place.