Monthly Archives: November 2010

Hertfordshire County Council

Posted on by

Breach details

What Loss of highly sensitive personal information by fax.
How much 47 records.
When 11 June 2010
Why Two faxes were sent to the wrong recipients.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 22 November 2010

Why the regulator acted

Breach of act Faxes sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known The ICOs advice on faxing protocols after the first incident were ignored, but the risk had been made clear.
Likely to cause damage or distress Data relating to vulnerable children.

Links

View PDF of the Hertfordshire County Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Hertfordshire County Council Monetary Penalty Notice (Via ICO Website)

Stoke-on-Trent City Council

Posted on by

What

Loss of sensitive personal information.

How much

40 records.

Why

An unencrypted memory stick containing social service records for 40 children was found by a member of the public. The memory stick was not password protected either.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

Although there was a legitimate reason for the data to be on a memory stick the one used was not an approved encrypted device.

When

22 November 2010

Links

View PDF of the Stoke-on-Trent City Council Undertaking (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Undertaking (Breach Watch Archive)

A4e Ltd

Posted on by

Breach details

What Loss of sensitive personal information.
How much 24,000 records.
When 18/19 June 210
Why Theft of an unencrypted laptop from staff member’s home.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 22 November 2010

Why the regulator acted

Breach of act Theft of an unencrypted laptop.
Inappropriate organisational and technical measures..
Known or should have known Data controller was aware of the possible consequences of laptops being stolen and had commenced a laptop encryption program.
Likely to cause damage or distress Financial and personal information of clients.

Links

View PDF of the A4e Ltd Monetary Penalty Notice (Breach Watch Archive)
View PDF of the A4e Ltd Monetary Penalty Notice (Via ICO Website)

Google

Posted on by

What

Mistaken collection of payload data.

How much

Unknown, but likely to be minimal.

Why

Google Streetview Vans, adapted to pick up on publically available Wi-Fi signals had mistakenly collected payload data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that Google puts in place improved training measures on security awareness and data protection issues for all employees. Project engineers will be required to maintain a privacy design document for every new project before it is launched. All the payload data must be deleted.

Reason for action

Google took rapid remedial action, however the fact that issue occurred at all was still of note. Google was required to facilitate a consensual audit by the ICO.

When

19 November 2010

Links

View PDF of the Google Undertaking (Via ICO Website)

View PDF of the Google Undertaking (Breach Watch Archive)

Independent Parliamentary Standards Authority (IPSA)

Posted on by

What

Potential loss of personal data.

How much

332 records.

Why

An internal database was left insecure for a period of about 21 hours following IT maintenance.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that appropriate changes are made to the records system to prevent any future errors.

Reason for action

A mistake made during IT maintenance made personal records visible to all MPs and their nominated staff who had access to the internal system.

When

12 November 2010

Links

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Via ICO Website)

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Breach Watch Archive)

Rainforest Alliance Ltd

Posted on by

What

Potential loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted Laptop during a domestic burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that staff are sufficiently trained and monitored in the Data controllers security policies.

Reason for action

Although the laptop was password protected and used with permission it was not encrypted and it emerged that only some of the data it contained had been backed up on the office server. It was concluded that the data controller had not provided adequate guidance on physical security.

When

11 November 2010

Links

View PDF of the Rainforest Alliance Ltd Undertaking (Via ICO Website)

View PDF of the Rainforest Alliance Ltd Undertaking (Breach Watch Archive)