Monthly Archives: May 2009

Amicus Legal Ltd

Posted on by

What
Loss of personal data.

How much
100,000 records.

Why
An unencrypted laptop containing personal data was stolen from the locked hotel room of a contracted consultent.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. Any data held on portable media must be encrypted. All staff must be made aware of this policy, including contracted consultants.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the transfer of the data in question on to a privately owned and unencrypted personal laptop.

When
28 May 2009

Links
View PDF of the Amicus Legal Ltd Undertaking (Breach Watch Archive)

Salford Royal NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
3,500 records.

Why
An unencrypted desktop computer containing personal data was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. Any data held on portable media must be encrypted and only held for as long as absolutely necessary. Mandatory induction data protection training must to given to all staff.

Reason for action
The desktop computer was not secured to the desk or encrypted. Initially the incident was treated only as a loss of equipment, resulting in a delay of over one month in reporting and investigating the loss of personal data.

When
22 May 2009

Links
View PDF of the Salford Royal NHS Foundation Trust Undertaking (Breach Watch Archive)

First Response Finance Ltd

Posted on by

What
Loss of personal data.

How much
One record.

Why
The data controller was attempting to establish the current employment of an individual, for the purpose of an application to the Court for an Attachment of Earnings order. The fax which was brought to a District Judge’s attention contained questions asking for personal data which were irrelevant and execisve for the purpose.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that personal data is processed in accordance with the Act and in particular the First and Third Principles.

Reason for action
The data controller was asking for personal data without any necessity to do so.

When
11 May 2009

Links
View PDF of the First Response Finance Ltd Undertaking (Breach Watch Archive)

Leicester City Council

Posted on by

What
Loss of sensitive personal data.

How much
About 80 records.

Why
An unencrypted USB memory stick containing data relating to about 80 children was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Staff must be suitable trained in these internal policies and sufficient supervisory checks must be put into place to ensure adherence.

Reason for action
The storage of personal data on an unencrypted USB stick was contrary to council policies and procedures, which required all such devices to be purchasing centrally through its IT department and encrypted.

When
7 May 2009

Links
View PDF of the Leicester City Council Undertaking (Breach Watch Archive)