Monthly Archives: August 2010

Yorkshire Building Society

Posted on by

What

Loss of personal information.

How much

A “substantial” number.

Why

Theft of an unencrypted laptop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that appliance with IT security policies is appropriately and regularly monitored.

Reason for action

The laptop was unencrypted and, contrary to policies and procedures the manager had written down passwords and left these and the laptop under his desk overnight.

When

26 August 2010

Links

View PDF of the Yorkshire Building Society Undertaking (Via ICO Website)

View PDF of the Yorkshire Building Society Undertaking (Breach Watch Archive)

DSG Retail

Posted on by

What

Loss of personal information.

How much

Over 100 records.

Why

Paperwork related to credit agreements was found in a skip near the premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will review its security measures and implement any necessarily security and monitoring measures.

Reason for action

The documents related to transactions two years prior and had been retained beyond the period specified in the data controller’s procedures. The normal procedure for disposing such documents (sending them to a central facility for secure shredding) had not been followed.

When

25 August 2010

Links

View PDF of the DSG Retail Undertaking (Via ICO Website)

View PDF of the DSG Retail Undertaking (Breachwatch Archive)

Zurich Insurance Plc (Zurich UK)

Posted on by

What

Loss of personal information including bank and credit card details and details of insured properties.

How much

46,000 records.

Why

Unencrypted backup tape lost by Data Processor.

Regulator

FSA

Regulatory action

Monetary penalty: £ 2,275,000

Reason for action

Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.

When

24 August 2010

Links

View the press release relating to Zurich Insurance on the FSA website

View PDF of the Zurich Insurance Final Notice (via FSA website)

View PDF of the Zurich Insurance Final Notice (Breachwatch archive)

Royal Wolverhampton Hospitals NHS Trust

Posted on by

What

Loss sensitive of personal information.

How much

112 records.

Why

An unencrypted CD containing scans of patients’ records was found at a nearby bus stop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and trained in the data controller’s policies for the storage and management of data. Patient charts released to consultants are to be signed for on receipt and are to be chased for return within a week and weekly thereafter.

Reason for action

The CD was unencrypted and not password protected. The patient charts it contained were several years old. It was unclear how exactly the CD had came to be made. Any patient charts released to consultants would not be chased for return for a month.

When

19 August 2010

Links

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Breach Watch Archive)

The Children’s Mutual

Posted on by

What

Loss of sensitive personal information.

How much

One record.

Why

An annual account statement was accidently sent to an incorrect address.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff with access to personal data are made aware of policies regarding its storage and use and that regular reports shall be run in order to identify any address mismatches.

Reason for action

Enquiries revealed that the data controller had not implemented adequate reporting procedures to identify these sorts of discrepancies.

When

19 August 2010

Links

View PDF of the Children’s Mutual Undertaking (Via ICO Website)

View PDF of the Children’s Mutual Undertaking (Breach Watch Archive)

Direct Response Security Systems

Posted on by

What

Breach of the Privacy and Electronic Communications Act

How much

Why

Making of unsolicited marketing calls.

Regulator

ICO

Regulatory action

Enforcement notice issued to ensure that the numbers of any subscribers who have declared that they do not wish to receive marketing calls are suppressed and that a line data is checked against the TPS list every 28 days.

Reason for action

Each of the individuals who complained about the calls from Direct Response Security Systems Limited had already stated that they did not wish to receive such calls, yet continued to receive them.

When

19 August 2010

Links

View the Direct Response Security Systems Enforcement Notice (Via ICO Website)