Monthly Archives: June 2012

South Yorkshire Police

Posted on by

What
Loss of personal data

How much
600 records.

Why
Personal data, relating to drug offences by 600 arrested individuals, was accidently included in a spreadsheet given to a journalist following a Freedom of Information request.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all responses to FOI requests are double checked, preferably by a manager, to ensure that no personal data is included. Written procedures should be implemented and staff must be training in following that policy.

Reason for action
The Commissioner felt that the likelihood of identification was reduced as the offender’s names were not included in the attachment. Formal assurances were received that the email and spreadsheet were promptly deleted. All staff members have since been provided with comprehensive training relating to FOI requests.

When
26 June 2012

Links
View PDF of the South Yorkshire Police Undertaking (Via ICO Website)

View PDF of the South Yorkshire Police Undertaking (Breach Watch Archive)

Belfast Health and Social Care Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much About 10,000 records.
When May 2010
Why Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 225,000
When 19 June 2012

Why the regulator acted

Breach of act Site was insufficiently secure to prevent intrusion.
Inappropriate organisational and technical measures.
Known or should have known The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.
Likely to cause damage or distress Medical records and financial data of employees.

Links

View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Via ICO Website)

Telford & Wrekin Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal data.
How much Two records over two incidents.
When 31 March 2011
Why On the first occasion a Social Worker sent a Social Care Core Assessment report to the child’s sibling instead of the mother. A second incident was reported by the Council to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother, in this incident the authority decided to move the children to a different foster carer.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 6 June 2012

Why the regulator acted

Breach of act There was no formal checking process in place to prevent documents being sent to the wrong recipients . Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases on a daily basis and were aware of the sensitivity of the data being handled. Two separate incidents occurred in 2 months.
Likely to cause damage or distress Data relating to vulnerable child in foster care.

Links

View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Via ICO Website)

Brighton and Sussex University Hospitals NHS Trust

Posted on by

Breach details

What Loss of sensitive personal information.
How much 79,000 records.
When March 2008
Why Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 325,000
When 1 June 2012

Why the regulator acted

Breach of act Failure to select a data processor able to provide gurantees of technical security – loss of hard drives.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress Medical Data of Patients.

Links

View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Via ICO Website)
View the Brighton and Sussex University Hospitals response to the penalty (external archive)