Brecon Beacons National Park Authority

What

Unauthorised disclosure of personal data.

How much

Two incidents.

Why

On the first occasion personal data of relatively low sensitivity held in local development plan consultation comment forms was disclosed. On the second occasion planning application documents were published on a website, containing personal data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate security measures are put in place to prevent unauthorised access to personal data from the data controller’s website.

Reason for action

It was felt that insufficient care was taken to prevent the disclosure of personal details such as telephone numbers and email addresses.

When

18 Apr 2012

Links

View PDF of the Brecon Beacons National Park Authority Undertaking (Via ICO Website)

View PDF of the Brecon Beacons National Park Authority Undertaking (Breach Watch Archive)

Leicestershire County Council

What

Loss of sensitive personal data.

How much

18 records.

Why

A briefcase, containing documents to be used for initiating court proceedings, was stolen from a social worker’s house during a burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that existing policies should be amended to include detailed guidance relating to the security of paper documents whilst home working and that staff receive sufficient training and follow these guidelines.

Reason for action

While the social worker had asked for, and received, permission from his manager to take the documents home with him, policies had been put in place to train staff in how to secure documents outside of the office. While the manager had received this training, the social worker had not.

When

17 Apr 2012

Links

View PDF of the Leicestershire County Council Undertaking (Via ICO Website)

View PDF of the Leicestershire County Council Undertaking (Breach Watch Archive)

Toshiba Information Systems UK Ltd

What

Loss of personal data.

How much

20 records.

Why

A security fault in an online competition meant that the personal details of individuals who registered could be accessed by user other than the data controller.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will obtain sufficient guarantees from the data processor that it will conduct appropriate web application security tests in relation to any web applications  and that compliance with these guarantees are ministered.

Reason for action

It was felt that insufficient security testing had been performed on the web application intended for the competition, despite a written contract being in place between the data controller and data processor.

When

17 Apr 2012

Links

View PDF of the Toshiba Information Systems UK Ltd Undertaking (Via ICO Website)

View PDF of the Toshiba Information Systems UK Ltd Undertaking (Breach Watch Archive)

Hertfordshire County Council

What

Loss of sensitive personal data.

How much

Unknown.

Why

An Attendance and Pupil Support consultation folder was lost in January 2011.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices used to store personal data are sufficiently encrypted. Hard copy documentation must only be removed from council premises when absolutely necessary.

Reason for action

Despite the incident occurring in January 2011, the relevant department within the Council did not share the outcome of their investigation with the Data Protection Team until August 2011. The investigation also revealed that the officer who lost the folder was transporting excessive information.

When

11 Apr 2012

Links

View PDF of the Hertfordshire County Council Undertaking (Via ICO Website)

View PDF of the Hertfordshire County Council Undertaking (Breach Watch Archive)

South London Healthcare NHS Trust

What

Loss of sensitive personal data.

How much

Approximately 750 records

Why

Two unencrypted memory sticks were lost, one two separate occasions. A clipboard of ward lists was left in a grocery store and some patient paper files were inadequately secured when not in use.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices containing personal data are encrypted to a sufficient standard and that staff are made aware of, and trained in, data protection policies.

Reason for action

On all of these occasions, staff were either unaware that the memory sticks they used should have been encrypted, or had removed or failed to secure data in breach of in-place policies.

When

11 Apr 2012

Links

View PDF of the South London Healthcare NHS Trust Undertaking (Via ICO Website)

View PDF of the South London Healthcare NHS Trust Undertaking (Breach Watch Archive)

St Georges Healthcare NHS Trust

What
Loss of sensitive personal data.

How much
22,000 records.

Why
6 unencrypted laptops containing the personal data of a number of patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data. Mobile media devices must be encrypted to a suitable standard. Adequate checks must be carried out on contractor’s staff. All staff must receive adequate data protection training.

Reason for action
Due to network connection problems patient data had been stored on laptop C drives contrary to Trust policy and was not encrypted.

When
27 March 2009

Links
View PDF of the St Georges Healthcare NHS Trust Undertaking (Breach Watch Archive)

The Highland Council

What
Loss of sensitive personal data.

How much
A few records.

Why

Sensitive personal data relating to several members of one family had been inadvertently disclosed, to an unrelated individual. This occurred because several members of both families, who lived in the same small village, submitted subject access requests to the data controller at roughly the same date.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that a full briefing of subject access requests is provided to covering officers and a formal log of all requests is kept and made easily accessible.

Reason for action

The officer who usually dealt with such requests went on leave before full responses had been sent, and enquiries revealed that the covering officer had not been made aware that more than one request was outstanding from someone in the village. When information relating to one family was provided the covering officer assumed it was related to the other family, to whom he had earlier sent some documents left for him by his absent colleague.

When
17 March 2010

Links
View PDF of the Highland Council Undertaking (Breach Watch Archive)

The Lancaster Constabulary

Breach details

What Loss of sensitive personal data.
How much “Several” records.
When 17 July 2011
Why xxx.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that hard copy documentation contains the minimum amount of personal data necessary and is only taken out of the station when absolutely necessary. A written policy detailing these responsibilities must be produced and staff must be trained in these policies.
When 14 March 2012

Why the regulator acted

Breach of act Report lost and printed in a newspaper. Inappropriate organisational and technical measures.
Known or should have known Policies in place marked such data as highly sensitive, but no policies were in place to cover security outside of the station.
Likely to cause damage or distress Report related to vulnerable children and sex crimes.

Enable Scotland (Leading the Way)

What

Loss of sensitive personal data.

How much

101 records.

Why

Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.

Reason for action

The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.

When

09 March 2012.

Links

View PDF of the Enable Scotland (Leading the Way) Undertaking (Via ICO Website)

View PDF of the Enable Scotland (Leading the Way) Undertaking (Breach Watch Archive)

Zurich Insurance plc

What
Loss of personal data.

How much
6,800 records.

Why

Unencrypted backup tape lost by the data processor.

Regulator
ICO

Regulatory action

Undertaking issued to ensure that where any future movement of backup tapes is required appropriate data security measures, including encryption, are taken. Staff and external contractors must be made aware of security procedures and trained to follow them. Adequate checks must be carried out on contractor’s staff and effective controls must be put in place to monitor and report potential or actual data loss activity.

Reason for action

Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.

When
7 March 2010

Links
View PDF of the Zurich Insurance plc Undertaking (Breach Watch Archive)