Mansfield District Council

Breach details

What Personal data of housing benefit claimants was disclosed to the wrong housing association.
How much An undisclosed number of records.
When August 2009 to November 2012
Why Correspondence containing personal data was sent in error by the council’s Revenues and Benefits service to a Mansfield housing association over an extended period.

BW Comments

What is interesting about this breach is that it was reported to the ICO by the housing authority that received the data in error, and not Mansfield Council. I suspect that the housing association will first have contacted the Council and after that had no effect on the incorrectly addressed correspondence (the breach continued for three years), alerted the Commissioner. The Council’s real failing was to not fix the problem when told about it.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 25 January 2013
Details Employees and any other staff with access to personal data must be made aware of, and trained in, the policy for storage and use of personal data. Training must be provided to contractors as well as staff, and records of training to be maintained.

BW Observations

The breach was almost certainly due to administrative human error; however our view is that the enforcement action was taken as a result of the council not fixing the problem when it was initially alerted. The core problem was that the council didn’t have a sufficiently robust plan to identify and rectify a data breach when it was first reported. The undertaking should have also included a requirement for the Council to develop and test a breach response plan, which identified data breaches and ensured they were rectified.

Prospect

Breach details

What Loss of sensitive personal information (Union membership).
How much About 19,000 records.
When 08 Dec 2011
Why Two files containing member data were sent as part of a tendering process to an unknown email address in error. The files were encrypted but the password was also sent seperately to the same address.

BW Comments

This breach illustrates two issues that all Data Controllers need to be aware of. The first is that test data should always be anonymised, not only does it increase the risk of breaching the seventh principle, but it will also breach the first and second principles; although interestingly the ICO only took action in respect of the seventh principle. Secondly, any encryption is only as good as the key (password) management – passwords should always be sent at a minimum by a separate channel.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 16 Jan 2013
Details The data controller to ensure that adequate policies are in place to cover transfer of data to third parties, that such data is minimised and anonymised, that all staff receive data protection training, and that appropriate security measures are in place to protect personal data.

BW Observations

Although this was a sizeable breach of some 19,000 records of sensitive personal data, the ICO obviously decided that an undertaking was more appropriate given the potential harm that could result.

Isle of Anglesey County Council

Breach details

What Loss of personal data and in one case loss of sensitive personal data.
How much Unknown
When Several incidents in early 2012
Why Documents containing personal data were inappropriately disclosed or disposed of, or put at risk of unauthorised access. The council had an out of date data protection policy, and provided insufficient data protection training.

BW Comments

The undertaking is very vague, and doesn’t provide specific details of what happened to cause the data losses, or why.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 20 December 2012
Details The data conroller is to ensure that all policies and procedures are up to date and in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

BW Observations

It is almost as if the council, as part of its self-reporting, suggested the necessary remedial action.

Marston Properties

What
Loss of personal data

How much
37 records.

Why
37 staff members’ details were lost when the filing cabinet the information was stored in was sent to a recycling centre and crushed.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

Reason for action
The data controller had established procedures, but did not have a specific written information handling policy in place and employees had not received formal data protection training.

When
6 August 2012

Links
View PDF of the Marston Properties Undertaking (Via ICO Website)

View PDF of the Marston Properties Undertaking (Breach Watch Archive)

West Lancashire Borough Council

What
Loss of personal data

How much
370 records.

Why
A business continuity bag containing emergency response documents and personal data relating to employees was stolen from a locked vehicle belonging to an officer.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the minimum amount of personal data necessary for emergency business is taken off site and that staff are fully training in data protection policy.

Reason for action
The data controller had some relevant guidance in place at the time of the incident, but could have provided clearer written instruction on the secure storage of hard copy personal data off site for emergency.

When
13 July 2012

Links
View PDF of the Lancashire Borough Council Undertaking (Via ICO Website)

View PDF of the Lancashire Borough Council Undertaking (Breach Watch Archive)

South Yorkshire Police

What
Loss of personal data

How much
600 records.

Why
Personal data, relating to drug offences by 600 arrested individuals, was accidently included in a spreadsheet given to a journalist following a Freedom of Information request.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all responses to FOI requests are double checked, preferably by a manager, to ensure that no personal data is included. Written procedures should be implemented and staff must be training in following that policy.

Reason for action
The Commissioner felt that the likelihood of identification was reduced as the offender’s names were not included in the attachment. Formal assurances were received that the email and spreadsheet were promptly deleted. All staff members have since been provided with comprehensive training relating to FOI requests.

When
26 June 2012

Links
View PDF of the South Yorkshire Police Undertaking (Via ICO Website)

View PDF of the South Yorkshire Police Undertaking (Breach Watch Archive)

Pharmacyrepublic Ltd

What

Loss of sensitive personal data.

How much

Approximately 2,000 records.

Why

Theft of a patient medication record system.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate procedures are put in place to ensure that PMR pharmacy data is securely handled prior to any future transfer of pharmacy ownership. All staff must be made aware of the data controller’s procedures for the safe storage and retrieval of personal data.

Reason for action

The PMR system was stolen for the pharmacy while it was undergoing a transfer of ownership. Although the PMR was password protected the data controller had not taken adequate steps to safely retrieve the PMR system and return it to the wholesale company, whom they had been paying a monthly retainer to, prior to the transfer of ownership process.

When

27 Mar 2012

Links

View PDF of the Pharmacyrepublic Ltd Undertaking (Via ICO Website)

View PDF of the Pharmacyrepublic Ltd Undertaking (Breach Watch Archive)

Holroyd Howe Independent Ltd

What

Loss of personal information.

How much

All payment records for the data controller’s employees.

Why

A data processor received a request from one of the data controller’s ex-employees for a copy of one of his payslips. In error, the data processor, which was acting on behalf of the data controller, emailed him a PDF document showing the relevant month’s payslips for all the data controller’s employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of the data controller’s amended policy for the storage and use of personal data and are appropriately trained how to follow that policy. Personal data transmitted over email must be encrypted to a sufficient standard.

Reason for action

In the course of investigation, it emerged that the data controller did not have a formal contract in place governing the processing of personal data by this data processor. It was noted that job-related training was given which included emphasis on confidentiality and sensitivity of data where appropriate, although some improvements were identified in relation to policies and procedures. It was further noted that remedial action taken in response to this incident had been prompt and thorough and that no adverse consequences had resulted.

When

23 May 2012

Links

View PDF of Holroyd Howe Independent Ltd Undertaking (Via ICO Website)

View PDF of Holroyd Howe Independent Ltd Undertaking (Breach Watch Archive)

Aneurin Bevan Health Board

Breach details

What Loss of sensitive personal data.
How much One records.
When 24 March 2011
Why A secretary accidentally sent a letter containing sensitive personal information to the wrong person. The correct patient’s surname had been spelt two different ways by a doctor and the letter lacked any other identifiers, and the secretary accidently chose the wrong record from the electronic patient record system.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that the checking processes to confirm patient identity prior to issuing correspondence, recommended by an internal investigation, must immediately be adopted across all the data controller’s sites.
When 30 April 2012

Why the regulator acted

Breach of act Letter sent to the wrong recipient. Letters should not be dispatched without being checked by management.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with sensitive data, but management allowed secretaries to simply rely on the electronic system rather than double checking.
Likely to cause damage or distress Medical data.

Safe and Secure Insurances Services Limited

What

Loss of personal data.

How much

Unknown

Why

A hard drive purchased from the Internet contained personal data relating to S&S clients.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any redundant hard drives and removable media devices used to store personal data are forensically wiped or completely destroyed before being disposed of or reused. The details of any such items must be logged.

Reason for action

S&S could not confirm how the hard drive had ended up in the public domain. It also transpired that the data controller did not have an adequate data protection policy in place at the time of the incident and further, that it did not have a drive disposal procedure. The data controller did not keep a record of any decommissioned equipment.

When

25 Apr 2012

Links

View PDF of the Safe and Secure Insurances Services Limited Undertaking (ICO Website)

View PDF of the Safe and Secure Insurances Services Limited Undertaking (Breach Watch Archive)