Category Archives: ICO undertaking

Dartford and Gravesham NHS Trust

Posted on by

What

Accidental destruction of achieved records containing sensitive personal data.

How much

10,000 records.

Why

Records accidently placed in a disposal room.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is physically secure against destruction.

Reason for action

Due to a lack of space in achieves, records were placed in a disposal room and accidently disposed of.

When

04 October 2011.

Links

View PDF of the Dartford and Gravesham NHS Trust Undertaking (Via ICO Undertaking)

View PDF of the Dartford and Gravesham NHS Trust Undertaking (Breach Watch Archive)

Poole Hospital NHS Trust

Posted on by

What

Loss of sensitive personal data.

How much

240 records.

Why

Theft of two diaries stolen from a nurses’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is kept physically secure both at home and in the work place and that personal data is kept to the minimum required and anonymised where possible.

Reason for action

The diaries contained information the nurse might need off hours, but were kept, unsecured, in her car outside her home.

When

04 October 2011.

Links

View PDF of the Poole Hospital NHS Trust Undertaking (Via ICO Website)

View PDF of the Poole Hospital NHS Trust Undertaking (Breach Watch Archive)

Eastleigh Borough Council

Posted on by

What

Potential loss of sensitive personal data.

How much

“Several”

Why

A member of the press claimed to have received a list containing sensitive personal information – the extent of this information and how he obtained it are “unclear”.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that personal information kept on the list is minimised and it is kept more secure.

Reason for action

The list contained excessive personal information for its purposes.

When

20 September 2011.

Links

View PDF of the Eastleigh Borough Council Undertaking (Via ICO Website)

View PDF of the Eastleigh Borough Council Undertaking (Breach Watch Archive)

Child Exploitation Online Protection Centre and the Serious Organised Crime Agency

Posted on by

What

The CEOP’s website reporting forms were being transmitted insecurely.

How much

None.

Why

A member of the public realised that the website’s reporting page was insecure.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the website is made secure and subject to regular checks.

Reason for action

Reports were transmitted unencrypted in plain text and this had been the case for several months.

When

15 September 2011.

Links

View PDF of the Child Exploitation Online Protection Centre and the Serious Organised Crime Agency Undertaking (Via ICO Website)

View PDF of the Child Exploitation Online Protection Centre and the Serious Organised Crime Agency Undertaking (Breach Watch Archive)

Royal Liverpool and Broadgreen University Hospitals NHS Trust

Posted on by

What

Loss of sensitive personal data on two occasions.

How much

22 records and 27 records.

Why

  • Ward handover sheets were discovered in a street near the hospital.
  • A clinic bag containing paper documents was stolen from a staff members’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the requirements for keeping data secure.

Reason for action

Both occasions seem to have been caused by staff failing to take the proper precautions.

When

15 September 2011.

Links

View PDF of the Royal Liverpool and Broadgreen University Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Liverpool and Broadgreen University Hospitals NHS Trust Undertaking (Breach Watch Archive)

Eastern and Coastal Kent Primary Care Trust

Posted on by

What

Loss of personal data.

How much

1.6 million records.

Why

A filling cabinet containing records was sent to a landfill during a move, however it also contained a CD holding data on 1.6 million patients.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff receive the necessary Information Governance training and are made aware of retention and storage policies.

Reason for action

A failure of internal communication meant that the presence of the CD in the filing cabinet was not known to those disposing of it.

When

14 September 2011.

Links

View PDF of the Eastern and Coastal Kent Primary Care Trust Undertaking (Via ICO Website)

View PDF of the Eastern and Coastal Kent Primary Care Trust Undertaking (Breach Watch Archive)

Walsall Council

Posted on by

What

Accidental disposal of personal data.

How much

951 records.

Why

The appointed data processor accidentally disposed of postal vote statements in a skip.

Regulator

ICO

Regulatory action

Undertaking issued to insure that in the future a written contract exists between data processors and the controller.

Reason for action

There was no written contract between the data controller and the data processor..

When

09 September 2011.

Links

View PDF of the Walsall Council Undertaking (Via ICO Website)

View PDF of the Walsall Council Undertaking (Breach Watch Archive)

London Ambulance Service NHS Trust

Posted on by

What

Loss of sensitive personal data.

How much

Unknown.

Why

Theft of unencrypted laptop from a staff member’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff members are made aware sensitive personal data is not to be forwarded to personal email accounts under any circumstances.

Reason for action

Data was emailed by a staff member to a personal account and downloaded onto a personal, unencrypted, laptop.

When

07 September 2011.

Links

View PDF of the London Ambulance Service NHS Trust Undertaking (Via ICO Website)

View PDF of the London Ambulance Service NHS Trust Undertaking (Breach Watch Archive)

University Hospital of South Manchester NHS Foundation Trust

Posted on by

What

Loss of sensitive personal data.

How much

87 records.

Why

Loss of an unencrypted memory stick by a medical student.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that students are provided with sufficient training and that the security of personal data is sufficiently monitored.

Reason for action

It was assumed that the medical student had already received sufficient data protection training. Sensitive data was copied from an encrypted memory stick provided by the hospital to an unencrypted personal memory stick.

When

07 September 2011.

Links

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Breach Watch Archive)

The Scottish Children’s Reporter Administration

Posted on by

What

Loss of sensitive personal data.

How much

10 records.

Why

An email containing sensitive information was sent to an unknown 3rd party and nine case files were temporarily lost during a move.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware that they may not send data to personal email accounts.

Reason for action

Information was emailed despite a policy being in place that stated this could only be done if sent to an equally secure recipient. A filing cabinet was not checked for case files during a move.

When

02 September 2011.

Links

View PDF of the Scottish Children’s Reporter Administration Undertaking (Via ICO Website)

View PDF of the Scottish Children’s Reporter Administration Undertaking (Breach Watch Archive)