Category Archives: ICO undertaking

Basingstoke and North Hampshire NHS Trust

Posted on by

What
Unnecessarily sharing of sensitive personal data

How much
917 records

Why
An excessive amount of data was emailed to another Trust partner via a non-secure email account

Regulator
ICO

Regulatory action
Undertaking issued to ensure that staff are given sufficient training and that only the minimum data for the intended purpose is extracted or transferred.

Reason for action
The spreadsheet containing the records was not passport protected and the department had no “business need” to have access to the clinical data.

When
15 June 2010

Links
View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Via ICO Website)

View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Breach Watch Archive)

West Berkshire Council

Posted on by

What

Loss of sensitive personal data.

How much

Unknown.

Why

Loss of an unencrypted USB stick containing sensitive personal data. This was the second data security incident reported by the data controller within 6 months.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store sensitive personal data are encrypted to a sufficient standard.

Reason for action

The USB stick had been used in 2005 by a member of the data controller’s social work department and was not encrypted or password-protected. Although the data controller had provided encrypted USB sticks since 2006 it never required the return of previously used unencrypted media devices.

When

27 May 2010

Links

View PDF of West Berkshire Council’s Undertaking (Via ICO Website)

View PDF of West Berkshire Council’s Undertaking (Breach Watch Archive)

Lampeter Medical Practice

Posted on by

What
Loss of personal data.

How much
8,000 records.

Why
Loss of an unencrypted memory stick that was posted by recorded delivery.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that any portable media devices used to store data are sufficiently encrypted and that physical security measures are put in place to prevent unauthorised access to physical data, particularly in respect to the unauthorised use of memory sticks.

Reason for action
A practical database was downloaded, without authorisation onto an unencrypted and non password protected memory stick

When
26 May 2010

Links
View PDF of the Lampeter Medical Practice Undertaking (Via ICO Website)

View PDF of the Lampeter Medical Practice Undertaking (Breach Watch Archive)

NHS Stoke-on-Trent

Posted on by

What

Possible loss of sensitive personal data.

How much

2,000 records

Why

Following a request for information about a patient’s medical records it was discovered that the physical paper records were not within the storage system, later enquiries revealed that about 2,000 records had not been stored

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate physical security for physical records is provided.

Reason for action

It is believed that the records may have been accidently destroyed or misfiled. Insufficient physical security and tracking was maintained.

When

11 May 2010

Links

View PDF of the NHS Stoke-on-Trent Undertaking (Via ICO Website)

View PDF of the NHS Stoke-on-Trent Undertaking (Breach Watch Archive)

King’s College London

Posted on by

What
Loss of sensitive personal data.

How much
About 200 records.

Why
A mini-Mac computer and several laptops were stolen from an academic office of the data controller in a teaching hospital.

In a second incident several months later two laptops were stolen from another teaching hospital.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
None of the machines were encrypted and it was discovered that the laptops were not normally locked away or physically secured when not in use. Enquiries revealed that staff training and awareness in relation to data protection responsibilities were inadequate. A similar incident had occurred in June 2009 but the data controller did not appear to have incorporated lessons learnt from that incident sufficiently into its wider policies and procedures.

When
5 May 2010

Links
View PDF of the King’s College London Undertaking (Breach Watch Archive)

Eastbourne Borough Council

Posted on by

What
Loss of personal data.

How much
Three records.

Why
Three unencrypted laptops were stolen from the general office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The office had a electronic lock that staff knew to be faulty and the laptops were neither encrypted  nor physically secured to the desks or locked away. The data controller had recently relocated and staff did not have access to the central network for some time, resulting in the use of the laptop to store and update a database containing personal information.

When
29 April 2010

Links
View PDF of the Eastbourne Borough Council Undertaking (Breach Watch Archive)

Bolton Youth Offending Team

Posted on by

What
Loss of sensitive personal data.

How much
Three records.

Why
A camcorder containing video footage of two young offenders apologising to their young victim was stolen. Two laptops, which did not contain personal data, were also stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The camcorder was stored in a locked cabinet, but the storage room which contained it was not locked and the windows used to gain entry did not provide adequate security. The video footage should have been removed from the camcorder and either stored appropriately or destroyed.

When
28 April 2010

Links
View PDF of the Bolton Youth Offending Team Undertaking (Breach Watch Archive)

NCL (Bahamas) Ltd

Posted on by

What
Loss of personal data.

How much
80 records.

Why
A computer printout containing payroll information relating to the data controller’s UK employees was believed to have been stolen during an office move.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are at all times adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data. Adequate provision must be made for the secure transfer of personal data and procedures for this must be communicated to all staff, including removal contractors, in advance of any future office move or reorganisation.

Reason for action
The records were believed to have been stolen and were not suitably secure.

When
26 April 2010

Links
View PDF of the NCL (Bahamas) Ltd Undertaking (Breach Watch Archive)

South Yorkshire Pensions Authority

Posted on by

What
Loss of personal data.

How much
9,140 records.

Why
An unencrypted cd containing personal data relating to 9,140 pension scheme members was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The cd was being used as a working copy by administrative staff in the office environment and there was no indication it had been stolen. It had been created to provide staff easy access to data without full consideration of data security implications.

When
22 April 2010

Links
View PDF of the South Yorkshire Pensions Authority Undertaking (Breach Watch Archive)

Ysgol Bro Famau

Posted on by

What
Loss of sensitive personal data.

How much
A few records.

Why
A computer containing sensitive personal data relating to the data controller’s pupils was stolen from an administration.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The computer was stored on a desk in view of an insecure window. It was protected by a password but not encrypted. Investigations revealed that staff needed further training in data protection and that physical security was inadequate.

When
16 April 2010

Links
View PDF of the Ysgol Bro Famau Undertaking (Breach Watch Archive)