Monthly Archives: June 2010

Kent Police

Posted on by

What
Loss of personal data.

How much
Unknown.

Why
Theft of documents containing personal information from a police officer’s car while it was parked overnight.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies covering the transportation of data are made clear and are regulated. Where necessary staff must be given secure transportation and storage facilities for data outside of the office

Reason for action
The officer had not used his secure briefcase to transport the papers, nor had he been provided with a secure storage facility at his home in breach of the data controller’s policy

When
18 June 2010

Links
View PDF of the Kent Police Undertaking (Via ICO Website)

View PDF of the Kent Police Undertaking (Breach Watch Archive)

West Sussex County Council

Posted on by

What
Loss of sensitive personal information.

How much
Unknown.

Why
Theft of an unencrypted laptop from an employee’s home

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store personal data are sufficiently encrypted and that staff are made aware of policies on data protection.

Reason for action
Enquiries revealed that the employee had not received any formal data protection/IT security training and was unaware of how to access the data controller’s secure network drive remotely. Although encrypted removable media was available to staff no technical measures were yet in place to enforce their use and it was also discovered that about 2,300 unencrypted laptops were likely to still be in use.

When
17 June 2010

Links
View PDF of West Sussex County Council Undertaking (Via ICO Website)

View PDF of West Sussex County Council Undertaking (Breach Watch Archive)

London Borough of Barnet

Posted on by

What
Loss of sensitive personal information.

How much
Over 9,000 records.

Why
Theft of an encrypted laptop and unencrypted USB and CDs from an employee’s home.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are sufficiently encrypted and that staff are suitably trained in the data controller’s policies on data protection, which must be regularly monitored.  Finally the data controller shall agree to a further audit by the ICO within the current fiscal year, to ensure that the requirements of this undertaking are met.

Reason for action
The employee had downloaded the data into the unencrypted devices without authorisation, though enquires revealed that insufficient measures were in place to prevent staff from doing so.

When
15 June 2010

Links
View PDF of London Borough of Barnet Undertaking (Via ICO Website)

View PDF of London Borough of Barnet Undertaking (Breach Watch Archive)

Basingstoke and North Hampshire NHS Trust

Posted on by

What
Unnecessarily sharing of sensitive personal data

How much
917 records

Why
An excessive amount of data was emailed to another Trust partner via a non-secure email account

Regulator
ICO

Regulatory action
Undertaking issued to ensure that staff are given sufficient training and that only the minimum data for the intended purpose is extracted or transferred.

Reason for action
The spreadsheet containing the records was not passport protected and the department had no “business need” to have access to the clinical data.

When
15 June 2010

Links
View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Via ICO Website)

View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Breach Watch Archive)