Royal Borough of Windsor & Maidenhead

Breach details

What Personal data disclosed on the council’s intranet in error.
How much 257 records.
When January 2013.
Why A spreadsheet containing details of individuals who had not signed a new employment contract was wrongly appended to a review document for general access on the intranet, rather than being added separately as a restricted item. The ICO investigation revealed that data protection and information security training for those with access to personal data had not been mandatory and that the policies on handling personal data were incomplete.

Regulatory action

ActionUndertaking to comply with the seventh data protection principle.

Regulator ICO
When 26 November 2013.
Details The Council will review and revise its data protection policies and ensure existing staff have appropriate training by 31 December 2013. All new staff whose roles involve access to personal data will receive training as soon as they begin their employment at the Council. Compliance with these policies and the training will be regularly monitored and enforced.

Better Together

Breach details

What Breach of the Privacy and Electronic Communications Regulations (PECR) – Sent text messages without the consent of the recipients.
How many 300,000 SMSs.
When 22 March 2013 and 27 April 2013.
Why Better Together were sending out text messages to individuals in Scotland regarding how they would vote in the Scottish Independence Referendum. However, they did not ensure the recipients had given their consent to be contacted as they believed another company had already done this on their behalf.

Regulatory action

Regulator ICO
Action Undertaking to comply with Regulation 22(2) of PECR.
When 19 November 2013.
Details Two rounds of texts were sent out even though Better Together had received a letter from the ICO warning them to comply with the law.

Great Ormond Street Hospital for Children NHS Foundation Trust

Breach details

What Letters containing medical information were sent to the wrong address.
How much 4 records.
When A period of 18 months up to November 2013.
Why Letters were sent out by temporary or bank staff who had not received relevant data protection training as such training was not required for temporary members of staff. Permanent staff were also not obliged to attend training as it was not enforced. In addition to this there were no policies or procedures in place to ensure the accuracy of addresses.

Regulatory action

ActionUndertaking to comply with the seventh data protection principle.

Regulator ICO
When 21 November 2013.
Details Temporary or bank staff must be provided with data protection training before working with personal and sensitive personal data and all training is to be monitored and attendance enforced. Processes are also to be put in place to ensure documents are sent to the right address and practical guidance is to be communicated to all staff.

Panasonic UK

Breach details

What Theft of an unencrypted laptop containing personal data including names, passport details, addresses and contact details.
How much 970 records.
When 08 August 2012.
Why An unencrypted, unsecured laptop containing the details of 970 individuals who had attended hospitality events organised by Panasonic UK was stolen from an unlocked hotel room. These events were being run by a third party company on behalf of Panasonic, and Panasonic’s comprehensive data protection policies that would have prevented this breach were therefore not automatically applied. However, it appears that these policies were not communicated to the company and the data protection provisions listed in the contract were extremely limited. Moreover, passport information was collected from all guests and then retained regardless of whether this information was necessary.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When Unknown.
Details Panasonic UK is to ensure that all third party company data controllers are governed by adequate contracts and checks to ensure that they are complying with data protection policies. Panasonic are also to ensure that personal data is only collected for a specified, valid purpose and is not retained for longer than is necessary. Other security measures should be implemented as appropriate.

Royal Veterinary College

Breach details

What Theft of a camera memory card containing passport images of multiple job applicants.
How much An unknown number.
When December 2012.
Why A memory card containing applicant passport photos was stolen from a camera owned by an employee, and thus fell outside the RVC’s policies and procedures. However, the possiblity of the use of personal devices in the workplace was not accounted for in these policies. Staff data protection training is also inadequate and is not being proactively addressed to prevent similar issues occurring in the future.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 15 October 2013.
Details The RVC is to implement mandatory induction and annual refresher training to all staff who routinely process personal information by 30 April 2014. This training is to be recorded and monitored, and follow-up procedures are to be implemented to ensure that all staff complete this training. In addition to training, all portable and mobile devices used to transmit personal data are to be encrypted and advice given on the use of personal devices.

Hillingdon Hospitals NHS Foundation Trust

Breach details

What Cancer referral forms containing sensitive clinical data found in the possession of a local newspaper.
How much Four records.
When Reported on 05 July 2012.
Why The cancer referral forms were prepared for transfer between The Hillingdon Hospital and Mount Vernon Hospital but failed to arrive through the internal mail system. Staff were aware the documents had not arrived but did not escalate the incident. It is unclear at what point the documents left the possession of the Trust and how they were acquired by the newspaper.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 07 October 2013.
Details The Trust is to implement breach reporting mechanisms and manage an escalation process if personal data does not arrive at its destination. Staff are to be made aware of all procedures and requirements.

Cardiff and Vale University Health Board

Breach details

What Loss of a bag containing sensitive personal data including a mental health act tribunal report, a solicitor’s letter, and five CV’s.
How much Documents relating to at least seven individuals.
When 26 November 2012.
Why A consultant psychiatrist lost their bag containing these documents when cycling home from the office. The documents were necessary for the consultant to work outside of the office environment, but although other more secure means of transporting the data or remote server access were available they were not communicated clearly to staff. The individual also did not receive induction training (including on data protection) until after the incident had occurred.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 04 October 2013.
Details The Health Board is to immediately implement a security policy concerning the removal and security of data off site and provide training to all staff in how to follow it, as well as mandatory training on data protection. Assessments are also to be made on the suitability of an individual working from home and appropriate arrangements made. Finally, a protective marking scheme is to be introduced.

Luton Borough Council

Breach details

What Personal data including information on the health and ethnicity of the data subjects.
How much Two cases.
When December 2012 and January 2013.
Why Two separate incidents involved incorrect handling of personal data by social work staff. In the first case an email containing personal information about a family was sent across an unsecured internet connection and also sent to an agency unconnected to the family. In the second case papers were lost in an accident when a member of staff took them home when leaving work early due to severe weather.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 11 September 2013.
Details Staff are to be trained in how to follow the Council’s procedures for the storage and use of personal data by 30 November 2013. Training is also required before staff are granted access to the Council’s sytems and should be refreshed within two years. In addition to training new procedures covering such issues as the transporting of personal data outside of the office must be drafted by 30 November.

Cardiff City Council

Breach details

What Failure to meet the requirements of section 7 of the Act.
How much One complaint.
When 21 July 2011
Why The Council failed to respond to a subject access request within the 40 days prescribed period. The Commissioner found that there were systematic failures to meet section 7.

Regulatory action

Regulator Undertaking to comply with the sixth data protection principle
Action ICO
When 28th August 2013.
Details The Council shall immediately set up clearly defined and managed procedures for dealing with subject access requests and provide staff with the appropriate training. This should include measures for the storage of paper records to ensure that subject access requests are responded to promptly and appropriately.

Local Government Ombudsman (the LGO)

Breach details

What A bag containing an encrypted portable media device and hard copy papers relating to planning application complaints. This included sensitive personal information relating to one of the complainant’s physical or mental health.
How much 8 complaints.
When Unknown.
Why A bag containing sensitive personal information was stolen from one of Ombudsman’s investigators at a public house. There was a specific reason for the papers to be taken out of the office and a policy on security on information while in transport existed, but staff were unaware of the policies due to a lack of training.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 22 August 2013
Details The company shall provide mandatory annual training to all staff whose role includes the routine processing of personal information. The company shall also ensure that all staff are aware of its policies relating to personal information and are updated of any changes to these policies.