Monthly Archives: February 2012

Southampton City Council

Posted on by

What
Breach of the Data Protection Act

How much
Unknown.

Why
The data controller required taxi operators to record all conversations and images while the vehicles were in use.

Regulator
ICO

Regulatory action
Enforcement Notice issued, requiring the data controller to erase any personal data in the audio recordings that have already been obtained and held, and refrain from recording any such personal data in the future.

Reason for action
The recording policy was considered unnecessary and fundamentally invasive to private individuals using the car, be they driver or passenger.

The Enforcement notice was upheld on appeal to the first-tier (Information Rights) tribunal.When
7 February 2012

Links
View PDF of the Southampton City Council Enforcement Notice (Via ICO Website)

View PDF of the Southampton City Council Enforcement Notice (Breach Watch Archive)

Staffordshire County Council

Posted on by

What
Breach of the Data Protection Act

How much
Unknown.

Why
The data controller failed to respond to an individual’s subject access request in the prescribed period of 40 days.

Regulator
ICO

Regulatory action
Enforcement Notice issued, requiring the data controller to supply the individual with a copy of a document within 35 days of the Notice being issued.

Reason for action
The data controller failed to inform the individual, without undue delay, whether personal data relating to him was being processed by it or on its behalf.

When
7 February 2012

Links
View PDF of the Staffordshire County Council Enforcement Notice (Via ICO Website)

View PDF of the Staffordshire County Council Enforcement Notice (Breach Watch Archive)

E*Trade Securities Ltd.

Posted on by

What

Loss of sensitive personal data.

How much

608 records.

Why

Files containing personal data relating to clients in the Middle East were identified as missing from storage in the UK having been couriered from ETSL-Dubai.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any processing of personal data carried out by a data processor on behalf of the data controller is carried out under a contract made and evidenced in writing and that a detailed record of all personal data couriered internally is kept.

Reason for action

The investigation revealed that the data controller had no contractual agreement “made and evidenced in writing” with their UK data processor, nor had instructions on the security and processing of this personal data provided.

When

03 February 2012.

Links

View PDF of the E*Trade Securities Ltd. Undertaking (Via ICO Website)

View PDF of the E*Trade Securities Ltd. Undertaking (Breach Watch Archive)