Foyle Women’s Aid

Breach details

What Confidential client information contained in a folder was left at a cafe.
How much A folder containing information on one case.
When June 2012
Why A lack of effective controls and procedures for taking information out of the office contributed to the loss of this personal data. Excessive information was also being transported as the folder contained personal data not relevant to the scheduled meetings. However, there were general polices and procedures in place and the support worker had received relevant training. The support worker was also acting against previous instructions given by Foyle Women’s Aid.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 13 August 2013.
Details Foyle Women’s Aid will immediately implement a formal policy covering the use of personal data outside of the office and provide training to their staff; compliance with these policies shall be regularly monitored. Portable devices used for the storage and transmission of personal data must be encrypted. Physical and other security measures must also be implemented to protect against unauthorised access to personal data.

Northern Health and Social Care Trust

Breach details

What Personal data including information on physical or mental health.
How much An unknown number of incidents including the faxing of confidential service user information to the wrong recipient and the inappropriate disclosure of personal data to professionals working with the Trust.
When An unknown period, dating to at least May 2011.
Why A number of security incidents led to the Commissioner’s investigation into the Trust. It was discovered that most of the staff involved in these incidents had not received the supposedly mandatory Information Governance training, and the Trust failed to monitor and enforce staff completion of training. This led to staff being unaware of Information Governance policies.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 13 August 2013.
Details From the date of this undertaking staff are to be made aware of policies regarding the storage and use of personal data and are given appropriate training in this and in dealing with security breaches. Measures should be put in place to ensure that staff attend all mandatory training. In addition, portable devices used to store personal data must be encrypted.

Janet Thomas

Breach details

What Personal data and sensitive personal data included in CVs.
How much 7,435 records.
When 11 April 2012.
Why CV documents were being stored unprotected on the website www.janetpage.com, in an area that was intended to be a secure portal for prospective employers. However, any member of the public could access and download these documents which included information about candidates’ ethnicity, religion, and sexuality.

BW Comments

A reminder that unless you work very hard, documents on a website are very easily accessible.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 16 July 2013.
Details The company shall implement and monitor technical security measures on its website to protect personal data. This data should only be collected when necessary. Staff should also receive data protection training.

BW Observations

Given the background to the ACS Law MPN it is perhaps surprising that an obviously poorly-configured and amateur website containing (sensitive) personal data didn’t receive more than an undertaking from the commissioner. However as a jobseeker typically wants their CV circulated as widely as possible it would be hard for the ICO to establish that the breach of CVs from such a site was likely to cause the Data Subjects damage or distress.

Health & Care Professions Council

Breach details

What Documents containing personal data relating to a ‘fitness to practice’ hearing.
How much An unknown number of documents.
When 2011.
Why A suitcase containing documents relating to a ‘fitness to practice’ hearing was stolen from a train. The solicitors who had prepared these documents had not signed a contract to act only under instruction from the Data Controller, and had not been provided with specific guidance on the redaction of these documents for hearings.

BW Comments

It is strange the the ICO highlights the lack of an adequate contract between the Data Controller and their solicitor. Surely the normal contract of engagement between a client and solicitor would provide the necessary requirements of confidentiality and that the solicitor should only act on the client’s instructions?

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 09 July 2013.
Details The Data Controller is to immediately enter into a contract with its solicitors and issue instructions regarding the processing of personal data. In addition, agents and contractors given access to personal data are to be provided with specific guidance around data security; compliance with policies on data protection is to be regularly monitored; and security measures are to be implemented to protect personal data.

Bedford Borough Council

Breach details

What Sensitive personal data including the mental and physical health of the data subjects held in a social care database.
How much One record.
When Unknown.
Why A record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

BW Comments

This is closely linked to the undertaking signed by Central Bedfordshire Council.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 10 September 2012
Details The social care database was to be completely cleansed of unnecessary data from the previous local authority by 31 March 2013, and security measures were to be implemented to protect personal data.

BW Observations

As with the Central Bedfordshire Council undertaking there is no explanation provided by the Commissioner about the delay in publishing this undertaking although this is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

Central Bedfordshire Council

Breach details

What Sensitive personal data incorrectly made available on a planning portal
How much Two records. This included birth details, private telephone numbers and personal medical information in one case, and physical and mental health details in the other.
When Unknown.
Why An individual’s personal information was made publicly available via a planning portal on the Council’s website. This occurred after documents were given the wrong planning reference number and then placed in an open access, rather than secure, folder. As a result personal information was not deleted from the documents prior to them being posted. In addition to this incident, a record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 18 September 2012.
Details The Council were to ensure that staff were aware of the correct procedures for preparing planning application documentation, to be given appropriate training, and that the procedures were followed. The social care database was also to contain a completely cleansed dataset by 31 March 2013. Finally, appropriate security measures were to be implemented to protect personal data.

BW Observations

Although the undertaking was ‘signed’ on 18 September 2012, it was only published by the ICO on 12 June 2013. This is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

News Group Newspapers

Breach details

What Customers’ personal data, some several years old.
How much ‘Thousands’ according to some press reports , a ‘large amount’ described in the undertaking and TechEye claimed 500,000.
When July 2011
Why A server hosting part of The Sun newspaper’s website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.

BW Comments

It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.

Regulatory action

Regulator ICO
Action Undertaking to comply with the fifth and seventh data protection principles
When 9 November 2011
Details Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).

BW Observations

This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.
  • There was a breach of the fifth and seventh principles.
  • There had been a previous penetration test, so the Sun knew of the vulnerability.
  • It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn’t sensitive personal data, the volume of the data should be enough to pass the ‘likely to cause distress’ test especially given the data was posted to the Internet — i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.

This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO’s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.

The Burnett Practice

Breach details

What Names and email addresses.
How much About 175 records.
When 3 October 2012 or earlier
Why The email service provider that the practice used wasn’t suitable to send sensitive medical results because it didn’t provide the appropriate technical security measures. As a result the practice’s email account was hacked.

BW Comments

Organisations should view this as an indication that if cloud-based, web-email services are used, services that offer two-factor authentication (e.g. Google Authenticator) should be selected.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 26 April 2013
Details The practice must use secure means of communication for test results – email can only be used if its security can be guaranteed. A security policy that is adequate to transfer patient data securely must be put in place, and staff must be made aware of this and trained.

BW Observations

Based on previous decisions, the loss of 175 medical records would seem to be a candidate for a Monetary Penalty rather than an undertaking. However, in this case the Commissioner would have struggled to satisfy the ‘known or should have known’ test given that most people (incorrectly) assume their email is generally safe from third party attack.

East Riding of Yorkshire Council

Breach details

What Sensitive personal data was inappropriately disclosed.
How much One record and one verbal remark.
When April/May 2012
Why Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 4 April 2013
Details Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary.

Leeds City Council

Breach details

What Personal and sensitive (health) personal data.
How much An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details.
When Not specified.
Why During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem.

BW Comments

If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 30 November 2012
Details The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data.

BW Observations

It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty.