Category Archives: ICO monetary penalty

Cheshire East Council

Posted on 15 February 2012 by BreachMaster

Breach details

What	Inappropriate disclosure of sensitive personal information.
How much	One record.
When	April 2011
Why	An email containing sensitive personal information relating to an individual of concern to the police was distributed to 180 unintended recipients, due to mistaken forwarding of the email, following errors of communication in the “Potentially Dangerous Person Unit”.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 80,000
When	15 February 2012

Why the regulator acted

Breach of act	Sensitive email mistakenly forwarded to over 180 recipients. Inappropriate organisational and technical measures.
Known or should have known	Staff were aware of the sensitivity of their work by its very definition, yet an assistant officer had not received any data protection training.
Likely to cause damage or distress	Details could jeopardise the data subject’s livelihood.

Links

View PDF of the Cheshire East Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Cheshire East Council Monetary Penalty Notice (Via ICO Website)

Croydon Council

Posted on 13 February 2012 by BreachMaster

Breach details

What	Croydon Council.
How much	One record.
When	20 April 2011
Why	A social worker’s bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. The data controller did not appear to have provided any information security training to the social worker involved and the onus was on staff to update their own knowledge and read the data controller’s policies in the intranet. No checks were made to ensure that staff had read or understood these police.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 100,000
When	13 Fenruary 2012

Why the regulator acted

Breach of act	Loss of papers, which could disrupt an ongoing legal case. Inappropriate organisational and technical measures.
Known or should have known	It was clear staff would need to take sensitive data outside of the office, but there were no policies in place to ensure this was done securely.
Likely to cause damage or distress	Information related to an ongoing legal case.

Links

View PDF of the Croydon Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Croydon Council Monetary Penalty Notice (Via ICO Website)

Norfolk Council

Posted on 13 February 2012 by BreachMaster

Breach details

What	Inappropriate disclosure of sensitive personal information.
How much	One records.
When	April 2011
Why	A social worker in the Data Controller’s Children’s Service’s department intended to deliver a copy of a report on a conference to a child’s father, but accidently wrote the wrong address on an envelope and placed it through the door of the father’s neighbour. Although a policy was in place to provide guidance about sending personal data by post it was possible that the social worker was unaware of this as she had only been working in the department for 9 months and had not completed the mandatory e-training course on data protection. No process was in place to monitor trainin.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 80,000
When	13 February 2012

Why the regulator acted

Breach of act	Even had policy been followed there was nothing to prevent the incorrect delivery of the wrongly addressed letter. Inappropriate organisational and technical measures.
Known or should have known	Staff were used to dealing with such self-evidently sensitive information, but no policies were in place to prevent a breach.
Likely to cause damage or distress	Data related to the physical and emotional well-being of a child.

Links

View PDF of the Norfolk Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Norfolk Council Monetary Penalty Notice (Via ICO Website)

Midlothian Council

Posted on 30 January 2012 by BreachMaster

Breach details

What	Inappropriate disclosure of sensitive personal data on five separate occasions.
How much	Five records.
When	March 2011
Why	Personal data relating to children and their carer were sent to the wrong recipients on five separate occasions.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 140,000
When	30 01 2012

Why the regulator acted

Breach of act	Multiple letters were sent to the wrong recipient. Inappropriate organisational and technical measures.
Known or should have known	Following the first breach the risk was clear, yet 4 more breaches occurred over the next month.
Likely to cause damage or distress	Personal information of vulnerable individuals.

Links

View PDF of the Midlothian Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Midlothian Council Monetary Penalty Notice (Via ICO Website)

Powys County Council

Posted on 6 December 2011 by BreachMaster

Breach details

What	Disclosure of sensitive personal information.
How much	19 records.
When	4 February 2011
Why	A member of the public received a children protection report on an unrelated child along with a document concerning her own child due to an employee of the data controller accidentally mixed in another colleague’s work when collecting printing from a shared printer. Although the Data Controller had said that they considered Data Protection training vital they had not made the completion of such training mandatory. This was the second of such incidents.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 130,000 Enforcement Notice Issued to ensure that by 31 March 2012 all staff with access to personal data must undergo full data protection training and that an accurate record must be kept of this training
When	6 December 2011

Why the regulator acted

Breach of act	Data sent to an incorrect recipient. Inappropriate organisational and technical measures.
Known or should have known	Following the previous breach the risk was clear, but insufficient measures were taken to prevent this second breach.
Likely to cause damage or distress	Data related to a child and has the potential for misuse.

Links

View PDF of the Powys County Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Powys County Council Monetary Penalty Notice (Via ICO Website)

View PDF of the Powys County Council Enforcement Notice (Breach Watch Archive)

View PDF of the Powys County Council Enforcement Notice (Via ICO Website)

Worcestershire County Council

Posted on 28 November 2011 by BreachMaster

Breach details

What	Inappropriate disclosure of sensitive personal information.
How much	“A large number” of records.
When	Unknown
Why	A member of staff accidently clicked on an additional contact list while sending out an email intended for internal use and so two spreadsheets containing sensitive personal information were sent to 23 registered care providers.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 80,000
When	28 November 2011

Why the regulator acted

Breach of act	Staff were not provided with sufficient training and internal and external email distribution lists were not clearly differentiated. Inappropriate organisational and technical measures.
Known or should have known	Employees routinely dealt with confidential and sensitive personal data and manages should have realised the potential for human error when selecting emails lists.
Likely to cause damage or distress	Details of vulnerable young adults.

Links

View PDF of the Worcestershire County Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Worcestershire County Council Monetary Penalty Notice (Via ICO Website)

North Somerset Council

Posted on 28 November 2011 by BreachMaster

Breach details

What	Inappropriate disclosure of sensitive personal information.
How much	Two records.
When	12 November 2010
Why	A council employee accidently sent five emails (on separate occasions), two of which contained highly sensitive information relating to a child’s serious case review, to the wrong NHS employee.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 60,000
When	28 November 2011

Why the regulator acted

Breach of act	Staff not given sufficient information governance training and management should have signed off on emails, ensuring that all sensitive data was encrypted. Inappropriate organisational and technical measures.
Known or should have known	Data controller was used to handling confidential and sensitive data and should have been aware of the “self evident” risks of drop down email menus. Repeated breaches demonstrate this fact.
Likely to cause damage or distress	Data related to vulnerable individuals and could be misused.

Links

View PDF of the North Somerset Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the North Somerset Council Monetary Penalty Notice (Via ICO Website)

Surrey Council

Posted on 9 June 2011 by BreachMaster

Breach details

What	Loss of sensitive personal information on three occasions.
How much	241 records.
When	May – June 2010
Why	Records were accidently sent out in an email copied to a global distribution list, minutes of a confidential strategy discussion erroneously emailed to a newsletter distribution group. Additional records were erroneously emailed to an incorrect internal email group.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 120,000
When	9 June 2011

Why the regulator acted

Breach of act	Emails were unencrypted and sent to the wrong recipients. Inappropriate organisational and technical measures.
Known or should have known	The risk of incorrect drop down boxes being selected were “self evident”.
Likely to cause damage or distress	Records related to special needs.

Links

View PDF of the Surrey Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Surrey Council Monetary Penalty Notice (Via ICO Website)

Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law

Posted on 10 May 2011 by BreachMaster

Breach details

What	Loss of sensitive personal information.
How much	6,000 records.
When	2009 – May 2010
Why	Insufficient measures taken to protect spreadsheets containing personal data, which was made available online following a DDOS attack.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 1,000
When	10 May 2011

Why the regulator acted

Breach of act	Unencrypted spreadsheets were placed on a torrent site following a denial of service attack. “Home-use” web service used rather than a business package. Inappropriate organisational and technical measures.
Known or should have known	Data controller was fully aware of the sensitive nature of the data he dealt with and that his business was controversial and unpopular with some. The risk of attack was clear, yet he set up his set without professional IT advice.
Likely to cause damage or distress	Financial and medical information of many individuals.

Links

View PDF of the Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law Monetary Penalty Notice (Via ICO Website)

Ealing Council

Posted on 8 February 2011 by BreachMaster

Breach details

What	Loss of sensitive personal information.
How much	958 records.
When	2010
Why	Theft of two unencrypted laptops (one work-issued, one personal) from a staff member’s home. The employee had been involved in a breach before, but no remedial action was taken. No home working risk assessment undertaken (although this was in policy).

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 80,000
When	08 February 2011

Why the regulator acted

Breach of act	Unencrypted tapes were stolen, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known	Data controller was aware of the possible consequences of the such an event, since policies were in place requiring home assessment and encryption of laptops. Both these policies were breached.
Likely to cause damage or distress	Personal data of clients.

Links

View PDF of the Ealing Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Ealing Council Monetary Penalty Notice (Via ICO Website)