Category Archives: ICO undertaking

Gwent Police

Posted on by

What

Loss of sensitive personal information.

How much

863 records.

Why

An email containing a spreadsheet intended for 5 police colleagues was accidently forwarded to a website journalist.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The auto-complete function of the email suggested the email address of the journalist and this error was not corrected. Moreover the member of staff was found to have previously displayed a “cavalier” attitude to IT security policies.

When

11 February 2011.

Links

View PDF of the Gwent Police Undertaking (Via ICO Website)

View PDF of the Gwent Police Undertaking (Breach Watch Archive)

NHS Blood and Transplant

Posted on by

What

Loss of sensitive personal information.

How much

444,031 records

Why

Organ donation preferences were recorded incorrectly due to a software error.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data must be routinely checked for accuracy.

Reason for action

The software error had been introduced into the system early in 1999 and had not been uncovered in the years that followed due to a lack of data checks.

When

21 January 2011

Links

View PDF of the NHS Blood and Transplant Undertaking (Via ICO Website)

View PDF of the NHS Blood and Transplant Undertaking (Breach Watch Archive)

Scottish Court Service

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Court documents were discovered at a recycling centre, inappropriately disposed of.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

The papers had been given to a law reporter, but no checks had been made regarding the security of his procedures prior to sharing the data.

When

05 January 2011

Links

View PDF of the Scottish Court Service Undertaking (Via ICO Website)

View PDF of the Scottish Court Service Undertaking (Breach Watch Archive)

Stoke-on-Trent City Council

Posted on by

What

Loss of sensitive personal information.

How much

40 records.

Why

An unencrypted memory stick containing social service records for 40 children was found by a member of the public. The memory stick was not password protected either.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

Although there was a legitimate reason for the data to be on a memory stick the one used was not an approved encrypted device.

When

22 November 2010

Links

View PDF of the Stoke-on-Trent City Council Undertaking (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Undertaking (Breach Watch Archive)

Google

Posted on by

What

Mistaken collection of payload data.

How much

Unknown, but likely to be minimal.

Why

Google Streetview Vans, adapted to pick up on publically available Wi-Fi signals had mistakenly collected payload data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that Google puts in place improved training measures on security awareness and data protection issues for all employees. Project engineers will be required to maintain a privacy design document for every new project before it is launched. All the payload data must be deleted.

Reason for action

Google took rapid remedial action, however the fact that issue occurred at all was still of note. Google was required to facilitate a consensual audit by the ICO.

When

19 November 2010

Links

View PDF of the Google Undertaking (Via ICO Website)

View PDF of the Google Undertaking (Breach Watch Archive)

Independent Parliamentary Standards Authority (IPSA)

Posted on by

What

Potential loss of personal data.

How much

332 records.

Why

An internal database was left insecure for a period of about 21 hours following IT maintenance.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that appropriate changes are made to the records system to prevent any future errors.

Reason for action

A mistake made during IT maintenance made personal records visible to all MPs and their nominated staff who had access to the internal system.

When

12 November 2010

Links

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Via ICO Website)

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Breach Watch Archive)

Rainforest Alliance Ltd

Posted on by

What

Potential loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted Laptop during a domestic burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that staff are sufficiently trained and monitored in the Data controllers security policies.

Reason for action

Although the laptop was password protected and used with permission it was not encrypted and it emerged that only some of the data it contained had been backed up on the office server. It was concluded that the data controller had not provided adequate guidance on physical security.

When

11 November 2010

Links

View PDF of the Rainforest Alliance Ltd Undertaking (Via ICO Website)

View PDF of the Rainforest Alliance Ltd Undertaking (Breach Watch Archive)

Portsmouth City Council

Posted on by

What

Inappropriate disclosure of personal information.

How much

One record.

Why

Third-party data related to an individual was inappropriately released due to a SAR request.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all individuals dealing with SARS receive sufficient training and guidance.

Reason for action

It transpired that the individual tasked with redacting data for this type of request was neither an employee of the data controller nor acting under process as a data processor. It was also revealed the guidance and checking of these processes was inadequate.

When

19 October 2010

Links

View PDF of the Portsmouth City Council Undertaking (Via ICO Website)

View PDF of the Portsmouth City Council Undertaking (Breach Watch Archive)

North West London Hospitals NHS Trust

Posted on by

What

Loss of sensitive personal information .

How much

56 records.

Why

A computer printout containing patient information was left in a general folder used for auditing that was accidently left on a tube train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that psuedonymisation techniques are used where individual identification of patients is needed for audit work.

Reason for action

Although much audit work is carried out at home there was no need for this computer print out to contain the genuine identities of patients.

When

14 October 2010

Links

View PDF of the North West London Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the North West London Hospitals NHS Trust Undertaking (Breach Watch Archive)

Forth Valley NHS Board

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

An unencrypted and non-password protected memory stick containing sensitive personal data was handing in to a newspaper.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any board issued portable media devices are sufficiently encrypted and that sufficient physical security measures are taken.

Reason for action

It was unclear how the memory stick ended up in the possession of the Newspaper, but it was unencrypted and not password protected.

When

30 September 2010

Links

View PDF of the Forth Valley NHS Board Undertaking (Via ICO Website)

View PDF of the Forth Valley NHS Board Undertaking (Breach Watch Archive)