Monthly Archives: May 2013

Halton Borough Council

Posted on by

Breach details

What Details of adoptive parents accidentally disclosed to birth parents.
How much 1 record.
When 25 May 2012
Why An employee mistakenly included the address of a child’s adoptive parents in a ‘letterbox’ letter to the birth mother. The birth mother passed the address on to her own parents, who wrote to the adoptive parents seeking contact with the child. The grandparents then made an application to the Court for direct contact with their grandchild, which was refused following two hearings, and the grandparents had to undertake only to use the Council’s ‘letterbox’ procedure for contact.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures to prevent accidental disclosure, such as implementing a peer-checking process and a clear checklist of requirements.
Known or should have known Because of the very nature of the ‘letterbox’ process which was designed to protect the identities of adoptive and birth parents, the council should have known that this type of issue was a risk, and that a breach of confidentiality would cause ‘substantial distress’. The council should therefore have taken steps to prevent the problem arising.
Likely to cause damage or distress This contravention was of a kind likely to cause substantial distress and on this occasion resulted in what a court deemed to be ‘inappropriate contact’.

Links

View PDF of the Halton Borough Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Halton Borough Council Monetary Penalty Notice (Via ICO Website)

–>

Stockport Primary Care Trust

Posted on by

Breach details

What Patient identifiable data was left in a decommissioned building.
How much About 1000 records, including 200 containing highly sensitive personal data.
When 2010-2011
Why Boxes of paper records were left in a decommissioned building, in full view of prospective purchasers of the building. The eventual purchaser opened the boxes and discovered the information, some relating to people known by the purchaser.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against the accidental loss of 1,000 documents, some of them containing sensitive personal data.
Known or should have known The NHS trust was used to handling sensitive personal data and would have known such information was stored on the site but did not take ‘reasonable steps’ to safeguard the data such has having a decommissioning policy.
Likely to cause damage or distress There was the potential for substantial distress as data subjects would know that their sensitive personal data had been accessed by an unauthorised party and that the data might be further disseminated. This was exacerbated as some data subjects were known to the data controller.

Links

View PDF of the Stockport Primary Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Stockport Primary Care Trust Monetary Penalty Notice (Via ICO Website)

News Group Newspapers

Posted on by

Breach details

What Customers’ personal data, some several years old.
How much ‘Thousands’ according to some press reports , a ‘large amount’ described in the undertaking and TechEye claimed 500,000.
When July 2011
Why A server hosting part of The Sun newspaper’s website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.

BW Comments

It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.

Regulatory action

Regulator ICO
Action Undertaking to comply with the fifth and seventh data protection principles
When 9 November 2011
Details Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).

BW Observations

This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.

  • There was a breach of the fifth and seventh principles.
  • There had been a previous penetration test, so the Sun knew of the vulnerability.
  • It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn’t sensitive personal data, the volume of the data should be enough to pass the ‘likely to cause distress’ test especially given the data was posted to the Internet — i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.

This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO’s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.

Links

View PDF of the News Group Newspapers Undertaking (Breach Watch Archive)
View PDF of the News Group Newspapers Undertaking (Via ICO Website)

The Burnett Practice

Posted on by

Breach details

What Names and email addresses.
How much About 175 records.
When 3 October 2012 or earlier
Why The email service provider that the practice used wasn’t suitable to send sensitive medical results because it didn’t provide the appropriate technical security measures. As a result the practice’s email account was hacked.

BW Comments

Organisations should view this as an indication that if cloud-based, web-email services are used, services that offer two-factor authentication (e.g. Google Authenticator) should be selected.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 26 April 2013
Details The practice must use secure means of communication for test results – email can only be used if its security can be guaranteed. A security policy that is adequate to transfer patient data securely must be put in place, and staff must be made aware of this and trained.

BW Observations

Based on previous decisions, the loss of 175 medical records would seem to be a candidate for a Monetary Penalty rather than an undertaking. However, in this case the Commissioner would have struggled to satisfy the ‘known or should have known’ test given that most people (incorrectly) assume their email is generally safe from third party attack.

Links

View PDF of The Burnett Practice Undertaking (Breach Watch Archive)
View PDF of The Burnett Practice Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 17 October 2013.
View PDF of the Burnett Practice Undertaking Follow Up (Breach Watch Archive)
View PDF of the Burnett Practice Undertaking Follow Up (Via ICO Website)