Category Archives: ICO undertaking

St James Primary School

Posted on by

What
Loss of sensitive personal data.

How much
27 records.

Why
A teacher’s bag containing an unencrypted memory stick was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data. Memory sticks are not to be used in conjunction with “Report Assist” software to store or transmit personal data.

Reason for action
The memory stick was the teacher’s personal property and contained pupil reports.

When
15 April 2010

Links
View PDF of the St James Primary School Undertaking (Breach Watch Archive)

Birmingham and Solihull Mental Health NHS

Posted on by

What
Loss of sensitive personal data.

How much
A few records.

Why
A laptop storing a number of details relating to patients who had received mental healthcare within the trust, together with a number of staff records, was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The laptop was stored stored in an unlocked filling cabinet in a secure, but not alarmed, office. At the time the majority of data stored on the laptop was out of data and had no business need to be retained.

When
9 April 2010

Links
View PDF of the Birmingham and Solihull Mental Health NHS Undertaking (Breach Watch Archive)

Warwickshire County Council

Posted on by

What
Loss of sensitive personal data.

How much
A few records.

Why
Two unencrypted laptops containing personal data relating to staff and pupils at a particular school were stolen. In a separate incident an unencrypted USB stick was lost or stolen from the administrative office of an education centre.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptops recorded data relating to two schools which were merging and had not been encrypted as they were only being used as a temporary measure in an office environment. Enquiries revealed that there were insufficient physical security measures in place and that the data controller was carrying out an incomplete program of encryption of portable devices.

The USB stick held minimal personal data, but an internal investigation revealed a lack of awareness of data protection requirements among staff and recommended further training and use of encrypted media.

When
19 March 2010

Links
View PDF of the Warwickshire County Council Undertaking (Breach Watch Archive)

The Royal London Mutual Insurance Society Ltd

Posted on by

What
Loss of personal data.

How much
2,135 records.

Why
18 laptops were lost or stolen from the data controller’s Edinburgh offices, two of which were unencrypted and contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
An internal investigation revealed that the data controller was uncertain of the precise location of these laptops at any given time. Physical security was insufficient and managers were unaware that the two laptops contained personal data.

When
16 March 2010

Links
View PDF of the Royal London Mutual Insurance Society Ltd Undertaking (Breach Watch Archive)

St Albans City and District Council

Posted on by

What
Loss of personal data.

How much
15,333 records.

Why
Four unencrypted laptops were stolen, one of which contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data. Adequate security checks must be carried out on contractor’s staff.

Reason for action
The laptop containing personal data was unencrypted (yet met Council IT security policy at the time) and contained redundant election data that had not been removed in a reasonable amount of time. It was later taken by contracted IT staff and left unsecured, later discovered to be missing along with 3 other laptops.

When
5 March 2010

Links
View PDF of the St Albans City and District Council Undertaking (Breach Watch Archive)

Redstone Mortgages Ltd

Posted on by

What
Loss of personal data.

How much
15,333 records.

Why
15,333 mortgage records were emailed to a member of the public by accident.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all reports containing personal data are suitably password protected and that this provision in entered into any contracts between the data controller and any data processors acting on its behalf.

Reason for action
The data was being transmitted to the data controller’s head office and several other recipients as part of a monthly analysis report. One of the recipients used an email address that was similar to a member of the public’s, which was mistakenly entered. The data was not encrypted or password protected.

When
19 February 2010

Links
View PDF of the Redstone Mortgages Ltd Undertaking (Breach Watch Archive)

Alzheimer’s Society

Posted on by

What
Loss of sensitive personal data.

How much
Approximately 1,000 records.

Why
Several unencrypted laptop computers, one of which contained personal data, were stolen from the data controller’s Cardiff Office during a burglary.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptops had been returned to the office for encryption, but this had not yet taken place when the theft occurred. The laptops were neither physically secured by cable locks, nor locked away securely. This was the third data security incident reported to the Commissioner during 2009. It was also revealed that staff did not receive any formal data protection training.

When
1 February 2010

Links
View PDF of the Alzheimer’s Society Undertaking (Breach Watch Archive)

The Association of Teachers and Lecturers

Posted on by

What
Loss of sensitive personal data.

How much
Approximately 6,282 records.

Why
An unencrypted laptop computer and memory stick were lost or stolen from a roadside vehicle as an ATL staff member was packing his car.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff will be prohibited from storing data on personal memory sticks. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptop was the property of ATL and contained sensitive personal data relating to some 6,282 union members. The memory stick was personally owned by the member of staff and contained duplicates of 3,366 of the laptop records.

When
14 January 2010

Links
View PDF of the Association of Teachers and Lecturers Undertaking (Breach Watch Archive)

Lancashire County Council

Posted on by

What
Loss of sensitive personal data.

How much
Approximately 33,000 records.

Why
Documents containing a considerable amount of personal data were found in filing cabinet purchased second hand.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that a formal written procedure is produced and implemented to ensure that any office furniture or equipment that is to be moved or disposed of is properly checked for personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The records were duplicates of documents held in the data controller’s office and contained extensive personal data. Enquiries revealed that the data controller had no formal written policy to ensure and document that cabinets or drawers were empty of personal data prior to disposal or removal.

When
11 January 2010

Links
View PDF of the Lancashire County Council Undertaking (Breach Watch Archive)

Southampton University Hospitals NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
Approximately 33,000 records.

Why
An unencrypted laptop was stolen from a retinal screening vehicle.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The vehicle was left unlocked and unattended during the theft.

When
14 December 2009

Links
View PDF of the Southampton University Hospitals NHS Trust Undertaking (Breach Watch Archive)