Monthly Archives: October 2012

Department of Education

Posted on by

Breach details

What Loss of personal information.
How much An unknown number of records.
When 28/29 June 2012
Why The Register reported that Email addresses, unencrypted passwords and individual’s answers to questions posed in a consultation were accesable due to a security flaw in the Department for Education’s website.

BW Comments

Judging by the description in The Register the vulnerability looked like a session management problem. Something that should have been caught be the most rudimentary penetration test.

Regulatory action

Regulator ICO
Action None taken. The Register reported that it had got in touch with the ICO which, while acknowledging that the Department had breached the seventh principle, stated “As the personal information compromised was not sensitive and any distress caused is likely to have been minimal, we have decided that no further enforcement action is required at this time.”

BW Observations

Just because an organisation breaks the DPA the ICO isn’t bound to take action, however BW would have expected the ICO to have sought an undertaking from the Department that it would properly test any web site that collected personal data.

Links

Original report from The Register

Stoke-on-Trent City Council

Posted on by

Breach details

What Loss of sensitive personal information.
How much 11 records.
When 14 December 2011
Why 11 unencrypted emails relating to a child protection case were sent to the wrong email address by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
Enforcement notice issued to ensure that a training program to make staff aware of data protection security procedure is arranged within 35 days.
When 25 October 2012

Why the regulator acted

Breach of act Failure to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to train employees appropriately and provide a secure means of sending email.
Known or should have known Staff were used to handling confidential and sensitive personal data and the danger of sending unencrypted email, which the data controller was aware was occuring, should have been self evident.
Likely to cause damage or distress Data was confidential and highly sensitive and related to an ongoing legal case.

Links

View PDF of the Stoke-on-Trent City Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Stoke-on-Trent City Council Monetary Penalty Notice (Via ICO Website)
View PDF of the Stoke-on-Trent City Council Enforcement Notice (Breach Watch Archive)
View PDF of the Stoke-on-Trent City Council Enforcement Notice (Via ICO Website)

Greater Manchester Police

Posted on by

Breach details

What Loss of sensitive personal data relating to criminal activities.
How much 1,075 records
When 17 July 2011
Why Theft of an unencrypted memory stick from an officer’s home.

BW Comments

It is really hard to stop the use of unencrypted media unless its use is blocked by an endpoint protection software and encrypted USB drives are issued to everyone that needs them. Having a written policy that is not enforced is useless.
This is most clearly illustrated by paragraph 8 of the Monetary Penalty Notice: after the security breach the police force had an ‘unencrypted USB memory drive amnesty’ and recovered 1,100 such USB drives – despite having a policy stating that such drives should not be used.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000.
When 13 September 2012

Why the regulator acted

Breach of act A number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office.
Known or should have known Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
Likely to cause damage or distress The memory stick contained highly sensitive personal data relating to people with links to serious crime investigations.

BW Observations

Given the apparent endemic use of unencrypted media by the force the fine appears to be on the low side of what the commissioner could have levied. The ICO reported the MPN when it was paid, as the original date of issue coincided with the loss of two of the force’s police officers.

Links

View PDF of the Greater Manchester Police Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Greater Manchester Police Monetary Penalty Notice (Via ICO Website)

Norwood Ravenswood Ltd

Posted on by

Breach details

What Loss of sensitive personal data.
How much Four records.
When 5 December 2011
Why A Social Worker left background reports relating to four young children outside the home of prospective adopters in a concealed place, since they were not in. When the prospective adopters arrived home about 30 minutes later the package had disappeared..

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 10 October 2012

Why the regulator acted

Breach of act Despite an existing policy, there was no specific guidance relating to sending personal data to prospective adopters. The social worker in question had not recieved any data protection training, despite a commitment to it being provided existing in the data controller’s policy.
Known or should have known The data controller had an overarching data protection policy which staff were aware of, even if specific guidence was not given. The sensitivity of staff’s work would have been self evident.
Likely to cause damage or distress The background reports contained detailed, confidential and highly sensitive personal data relating to the children and their birth families, including medical histories and details of any abuse or neglect. At this time, the reports have not been found.

Links

View PDF of the Norwood Ravenswood Ltd Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Norwood Ravenswood Ltd Monetary Penalty Notice (Via ICO Website)

Enfield Council: Confidential Files Found in Disused Building

Posted on by

What
Loss of sensitive personal data

How much
Unknown.

Why
Confidential social services files were found in an abandoned Enfield town hall currently in use as a film set. The files were labelled “Foster panel minutes” and “Adoption files”, and marked “strictly private and confidential”. They included details of parents turned down for adoption, the phone numbers and addresses of vulnerable people on the service’s register, and financial information.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

Personnel files found in Llandudno skip

Posted on by

What
Loss of sensitive personal data

How much
Unknown.

Why

Personnel files from a nightclub were found blowing out of a skip. A member of the public gave two sample files to the Daily Post. The files included phone numbers, addresses, National Insurance numbers, copies of riving licences with a photocopied photograph and an email address.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links