Category Archives: ICO undertaking

Billing Pharmacy Limited

Posted on by

What
Loss of sensitive personal data.

How much
About 1,000 records.

Why
An unencrypted computer containing the personal data of around 1,000 patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices and computers used to store or transport personal data are suitably encrypted. A data protection policy must be drafted and all staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.

Reason for action
It was not possible to notify the patients affected by the theft as the data on the computer was not separately backed up. Further enquiries revealed that the data controller did not have in place appropriate policies and procedures with regards to data protection matters.

When
8 September 2009

Links
View PDF of the Billing Pharmacy Limited Undertaking (Breach Watch Archive)

NHS Grampian

Posted on by

What
Loss of sensitive personal data.

How much
About 1,700 records.

Why
Three separate incidents.

  • The inappropriate distribution of an email containing sensitive personal data relating to an individual.
  • Documents containing personal data of around 200 patients and staff were taken from a confidential waste bag.
  • An unencrypted laptop containing the personal data of over 1500 patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transport personal data are suitably encrypted. Any personal data stored on portable devices must be backed up to the network server on a daily basis. Confirmation of success is to be obtained from the IT department and any failure corrected without delay. All staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.

Reason for action

  • A senior nursing manager distributing an email from another senior manager to over 50 other staff without first consulting either the sender of the data controller’s Information Governance Manager.
  • Documents were removed from a confidential waste bag held at a nursing station on the labour ward and sent to the data controller’s Chief Executive, claiming they’d been found in a skip. Investigations revealed that access to this waste could have been gained by staff, patients and even visitors. Many staff were unaware of the correct policies for disposing of sensitive waste.
  • An unencrypted laptop containing the entire database of patients suffering from a particular disease was stolen from a locked office. The laptop had not been successfully backed up to the data controller’s network server in the month prior to the theft, meaning that a small amount of this data was only stored on the laptop.
  • Finally the enquiries into these incidents revealed that certain staff were using home computers for work-related tasks involving personal data and then transferring that work via unencrypted USB sticks, in breach of the data controller’s policies and procedures.

When
3 September 2009

Links
View PDF of the NHS Grampian Undertaking (Breach Watch Archive)

Ipswitch Hospital NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
30 records.

Why
A ward handover sheet was found outside the data controller’s premises. This was the second time inside a year that such an incident had been reported to the Commissioner.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all staff are made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it.

Reason for action
Following the incident in 2008 recommendations had been made to minimise the risk of such documents going astray, including instructions to dispose of these in confidential waste and never to remove them from Trust premises, but it was clear that these had not been adhered to by staff.

When
25 August 2009

Links
View PDF of the Ipswich Hospital NHS Trust Undertaking (Breach Watch Archive)

Wigan Council

Posted on by

What
Loss of sensitive personal data.

How much
43,000 records.

Why
An unencrypted laptop was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The personal data contained on the unencrypted laptop was downloaded onto it in breach of Council policy.

When
18 August 2009

Links
View PDF of the Wigan Council Limited Undertaking (Breach Watch Archive)

NHS Education for Scotland

Posted on by

What
Loss of sensitive personal data.

How much
6,377 records.

Why
An unencrypted laptop containing the personal data of 6,377 individuals was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The laptop was not encrypted as it not intended to taken off NES premises and was therefore not considered a “mobile device” under NES internal policy at the time.

When
14 August 2009

Links
View PDF of the NHS Education for Scotland Undertaking (Breach Watch Archive)

UPS Limited

Posted on by

What
Loss of personal data.

How much
9,150 records.

Why
An unencrypted laptop containg payroll data was stolen from the home of an employee of the data controller

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The laptop was unencrypted, although the data controller has begun steps to introduce a policy to address this issue.

When
7 August 2009

Links
View PDF of the UPS Limited Undertaking (Breach Watch Archive)

Imperial College Healthcare NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
6,000 records.

Why
Six laptops were stolen from a secure area within the hospital on two separate occasions. In a separate incident a small number of paper records were lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Measures must be taken to ensure the physical security of all such devices containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
One of laptops was unencrypted despite containing sensitive personal data.

When
29 July 2009

Links
View PDF of the Imperial College Healthcare NHS Trust Undertaking (Breach Watch Archive)

East Cheshire NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 60 records.

Why
Personal data relating to over 60 patients were found in a garden in Newcastle-under-Lyme. This followed an office move during which an external company was retained to clear out scrap and rubbish from vacated premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that in all cases where third party supplies of goods or services will have access to personal data, a written contract must be entered into prior to work beginning which covers data security requirements. Staff must be made aware of the data controller’s policy for the storage and use of personal data and be appropriately trained to follow that policy.

Reason for action
The data controller did not enter into any written contract with the external company, nor where its actions appropriately supervised. It was noted during the clearance operations that boxes of data were being disposed of in open skips, but the data controller failed to react to this in time to prevent loss of some records.

When
27 July 2009

Links
View PDF of the East Cheshire NHS Trust Undertaking (Breach Watch Archive)

NHS Lothian

Posted on by

What
Loss of personal data.

How much
162 records.

Why
A document wallet containing 25 paper files was temporarily left in a shop. In a second incident an unencrypted USB memory stick was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Network systems are to be introduced to prevent the use of unauthorised personal memory devices to download personal data being processed by NHS Lothian. Measures must be taken to ensure the physical security of all paper files containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it. Compliance with these policies must be monitored.

Reason for action
The USB memory stick was unencrypted and was the personal property of an employee. In both cases the employees failed to comply with NHS Lothian security requirements.

When
21 July 2009

Links
View PDF of the NHS Lothian Undertaking (Breach Watch Archive)

Repair Management Services Ltd

Posted on by

What
Loss of sensitive personal data.

How much
36,800 records.

Why
A unencrypted laptop was stolen from a secure, but unattended, motor vehicle in a public car park.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Measures must be taken to ensure the physical security of all such devices containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The laptop was unencrypted despite containing details relating to criminal convictions.

When
17 July 2009

Links
View PDF of the Repair Management Services Ltd Undertaking (Breach Watch Archive)