Category Archives: ICO undertaking

East & North Hertfordshire NHS Trust

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller’s policy for the use of portable media and storage and use of personal media is clarified and all staff are made aware of its provisions .

Reason for action

The unencrypted USB stick had not been issued by the data controller.

When

20 September 2010

Links

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Via ICO Website)

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Breach Watch Archive)

Yorkshire Building Society

Posted on by

What

Loss of personal information.

How much

A “substantial” number.

Why

Theft of an unencrypted laptop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that appliance with IT security policies is appropriately and regularly monitored.

Reason for action

The laptop was unencrypted and, contrary to policies and procedures the manager had written down passwords and left these and the laptop under his desk overnight.

When

26 August 2010

Links

View PDF of the Yorkshire Building Society Undertaking (Via ICO Website)

View PDF of the Yorkshire Building Society Undertaking (Breach Watch Archive)

DSG Retail

Posted on by

What

Loss of personal information.

How much

Over 100 records.

Why

Paperwork related to credit agreements was found in a skip near the premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will review its security measures and implement any necessarily security and monitoring measures.

Reason for action

The documents related to transactions two years prior and had been retained beyond the period specified in the data controller’s procedures. The normal procedure for disposing such documents (sending them to a central facility for secure shredding) had not been followed.

When

25 August 2010

Links

View PDF of the DSG Retail Undertaking (Via ICO Website)

View PDF of the DSG Retail Undertaking (Breachwatch Archive)

Royal Wolverhampton Hospitals NHS Trust

Posted on by

What

Loss sensitive of personal information.

How much

112 records.

Why

An unencrypted CD containing scans of patients’ records was found at a nearby bus stop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and trained in the data controller’s policies for the storage and management of data. Patient charts released to consultants are to be signed for on receipt and are to be chased for return within a week and weekly thereafter.

Reason for action

The CD was unencrypted and not password protected. The patient charts it contained were several years old. It was unclear how exactly the CD had came to be made. Any patient charts released to consultants would not be chased for return for a month.

When

19 August 2010

Links

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Breach Watch Archive)

The Children’s Mutual

Posted on by

What

Loss of sensitive personal information.

How much

One record.

Why

An annual account statement was accidently sent to an incorrect address.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff with access to personal data are made aware of policies regarding its storage and use and that regular reports shall be run in order to identify any address mismatches.

Reason for action

Enquiries revealed that the data controller had not implemented adequate reporting procedures to identify these sorts of discrepancies.

When

19 August 2010

Links

View PDF of the Children’s Mutual Undertaking (Via ICO Website)

View PDF of the Children’s Mutual Undertaking (Breach Watch Archive)

Birmingham Children’s Hospital NHS Foundation Trust

Posted on by

What

Loss of sensitive personal information.

How much

17 records.

Why

Theft of two unencrypted laptops from the Medical Day Centre.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that additional measures are put to in place to ensure that data security policies are adhered to consistently. Any portable media must be suitably encrypted, or, if this is impossible due to the functions required, physical security must compensate for the additional risk.

Reason for action

This event followed a previously self reported security breach. The laptops were unencrypted and insufficiently secure.

When

14 July 2010

Links

Birmingham Children’s Hospital NHS Foundation Trust (Via ICO Website)

Birmingham Children’s Hospital NHS Foundation Trust (Breach Watch Archive)

Buckinghamshire County Council

Posted on by

What
Loss of sensitive personal information.

How much
Two records.

Why
Loss of documents containing sensitive personal data included in a plastic wallet with flight and accommodation details given to a social work employee flying to another UK city.
Regulator
ICO

Regulatory action
Undertaking issued to ensure that a proper risk assessment is carried out prior to the removal from the office environment of documents containing sensitive personal data and that they are sufficiently secure in transit.

Reason for action
It was felt that the implications of including the case documents with the travel documents during the journey had been insufficiently considered.

When
8 July 2010

Links

Kent Police

Posted on by

What
Loss of personal data.

How much
Unknown.

Why
Theft of documents containing personal information from a police officer’s car while it was parked overnight.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies covering the transportation of data are made clear and are regulated. Where necessary staff must be given secure transportation and storage facilities for data outside of the office

Reason for action
The officer had not used his secure briefcase to transport the papers, nor had he been provided with a secure storage facility at his home in breach of the data controller’s policy

When
18 June 2010

Links
View PDF of the Kent Police Undertaking (Via ICO Website)

View PDF of the Kent Police Undertaking (Breach Watch Archive)

West Sussex County Council

Posted on by

What
Loss of sensitive personal information.

How much
Unknown.

Why
Theft of an unencrypted laptop from an employee’s home

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store personal data are sufficiently encrypted and that staff are made aware of policies on data protection.

Reason for action
Enquiries revealed that the employee had not received any formal data protection/IT security training and was unaware of how to access the data controller’s secure network drive remotely. Although encrypted removable media was available to staff no technical measures were yet in place to enforce their use and it was also discovered that about 2,300 unencrypted laptops were likely to still be in use.

When
17 June 2010

Links
View PDF of West Sussex County Council Undertaking (Via ICO Website)

View PDF of West Sussex County Council Undertaking (Breach Watch Archive)

London Borough of Barnet

Posted on by

What
Loss of sensitive personal information.

How much
Over 9,000 records.

Why
Theft of an encrypted laptop and unencrypted USB and CDs from an employee’s home.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are sufficiently encrypted and that staff are suitably trained in the data controller’s policies on data protection, which must be regularly monitored.  Finally the data controller shall agree to a further audit by the ICO within the current fiscal year, to ensure that the requirements of this undertaking are met.

Reason for action
The employee had downloaded the data into the unencrypted devices without authorisation, though enquires revealed that insufficient measures were in place to prevent staff from doing so.

When
15 June 2010

Links
View PDF of London Borough of Barnet Undertaking (Via ICO Website)

View PDF of London Borough of Barnet Undertaking (Breach Watch Archive)