Loss of sensitive personal data.
Approximately 2,000 records.
Theft of a patient medication record system.
Undertaking issued to ensure that adequate procedures are put in place to ensure that PMR pharmacy data is securely handled prior to any future transfer of pharmacy ownership. All staff must be made aware of the data controller’s procedures for the safe storage and retrieval of personal data.
Reason for action
The PMR system was stolen for the pharmacy while it was undergoing a transfer of ownership. Although the PMR was password protected the data controller had not taken adequate steps to safely retrieve the PMR system and return it to the wholesale company, whom they had been paying a monthly retainer to, prior to the transfer of ownership process.
27 Mar 2012
View PDF of the Pharmacyrepublic Ltd Undertaking (Via ICO Website)
View PDF of the Pharmacyrepublic Ltd Undertaking (Breach Watch Archive)
Loss of personal information.
All payment records for the data controller’s employees.
A data processor received a request from one of the data controller’s ex-employees for a copy of one of his payslips. In error, the data processor, which was acting on behalf of the data controller, emailed him a PDF document showing the relevant month’s payslips for all the data controller’s employees.
Undertaking issued to ensure that all staff are made aware of the data controller’s amended policy for the storage and use of personal data and are appropriately trained how to follow that policy. Personal data transmitted over email must be encrypted to a sufficient standard.
Reason for action
In the course of investigation, it emerged that the data controller did not have a formal contract in place governing the processing of personal data by this data processor. It was noted that job-related training was given which included emphasis on confidentiality and sensitivity of data where appropriate, although some improvements were identified in relation to policies and procedures. It was further noted that remedial action taken in response to this incident had been prompt and thorough and that no adverse consequences had resulted.
23 May 2012
View PDF of Holroyd Howe Independent Ltd Undertaking (Via ICO Website)
View PDF of Holroyd Howe Independent Ltd Undertaking (Breach Watch Archive)