Stoke-on-Trent City Council

Breach details

What Loss of sensitive personal information.
How much 11 records.
When 14 December 2011
Why 11 unencrypted emails relating to a child protection case were sent to the wrong email address by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
Enforcement notice issued to ensure that a training program to make staff aware of data protection security procedure is arranged within 35 days.
When 25 October 2012

Why the regulator acted

Breach of act Failure to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to train employees appropriately and provide a secure means of sending email.
Known or should have known Staff were used to handling confidential and sensitive personal data and the danger of sending unencrypted email, which the data controller was aware was occuring, should have been self evident.
Likely to cause damage or distress Data was confidential and highly sensitive and related to an ongoing legal case.

Enfield Council: Confidential Files Found in Disused Building

What
Loss of sensitive personal data

How much
Unknown.

Why
Confidential social services files were found in an abandoned Enfield town hall currently in use as a film set. The files were labelled “Foster panel minutes” and “Adoption files”, and marked “strictly private and confidential”. They included details of parents turned down for adoption, the phone numbers and addresses of vulnerable people on the service’s register, and financial information.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

Edinburgh City Council Investigates Laptop Theft

What
Loss of senstive personal data.

How much
Unknown.

Why
 The Edinburgh Evening News reported that an unencrypted laptop containing sensitive personal data relating to vulnerable children was stolen from the home of a consultant who conducts reviews of foster and adoptive parents in Edinburgh.

The police believe that the data on the laptop was not targeted, and the Council claims to have contacted “as many as possible” of those whose details were contained on the laptop.

Working with BT the City of Edinburgh Council had taken measures to encrypt some 8000 computers belonging to the council, following an IT security review in 2010. It would appear that the issue here was a failure to ensure that third parties also handling this data followed the same security measures.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links

 

Scottish Borders Council

Breach details

What Loss of sensitive personal data.
How much 676 records.
When 10 September 2011
Why A member of the public noticed that a paper recycling bank had been overfilled with discarded files that contained personal information. Investigation showed that eight boxes containing 676 files had been deposited in the recycling bank by a data processor working for the council.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000£ 0
Overturned on appeal to the Information Rights Tribunal
When 11 September 2012

Why the regulator acted

Breach of act There was no contract in place between the data controller and the data processor. Documents scanned for the data controller by the data processor should have been disposed of securely, or returned in person.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees, including financial data and details of a pension scheme. The seriousness of such data should have been self evident.
Likely to cause damage or distress Financial and Medical data. The arrangement had been in place since 2005 and approximately 9000 pension records would have been processed and possibly incorrectly disposed of.

Appeal

The MPN was overturned on appeal to the Information Tribunal.
View PDF of the Scottish Borders Council Appeal (Information Tribunal)

West Lancashire Borough Council

What
Loss of personal data

How much
370 records.

Why
A business continuity bag containing emergency response documents and personal data relating to employees was stolen from a locked vehicle belonging to an officer.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the minimum amount of personal data necessary for emergency business is taken off site and that staff are fully training in data protection policy.

Reason for action
The data controller had some relevant guidance in place at the time of the incident, but could have provided clearer written instruction on the secure storage of hard copy personal data off site for emergency.

When
13 July 2012

Links
View PDF of the Lancashire Borough Council Undertaking (Via ICO Website)

View PDF of the Lancashire Borough Council Undertaking (Breach Watch Archive)

Telford & Wrekin Council

Breach details

What Inappropriate disclosure of sensitive personal data.
How much Two records over two incidents.
When 31 March 2011
Why On the first occasion a Social Worker sent a Social Care Core Assessment report to the child’s sibling instead of the mother. A second incident was reported by the Council to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother, in this incident the authority decided to move the children to a different foster carer.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 6 June 2012

Why the regulator acted

Breach of act There was no formal checking process in place to prevent documents being sent to the wrong recipients . Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases on a daily basis and were aware of the sensitivity of the data being handled. Two separate incidents occurred in 2 months.
Likely to cause damage or distress Data relating to vulnerable child in foster care.

London Borough of Barnet

Breach details

What Loss of sensitive personal information.
How much 15 records.
When 23 April 2011
Why Paper records relating to vulnerable children were stolen from a social worker’s home. Although it was accepted that the paper records needed to be taken home and that there was a policy in place to cover it, it was felt that the policy did not address the risk identified by this security breach.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 15 May 2012

Why the regulator acted

Breach of act Loss of paper records.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitive nature of the data they dealt with and that it was often necessary for paper records to be taken out of the office.
Likely to cause damage or distress Data relating to child exploitation.

Brecon Beacons National Park Authority

What

Unauthorised disclosure of personal data.

How much

Two incidents.

Why

On the first occasion personal data of relatively low sensitivity held in local development plan consultation comment forms was disclosed. On the second occasion planning application documents were published on a website, containing personal data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate security measures are put in place to prevent unauthorised access to personal data from the data controller’s website.

Reason for action

It was felt that insufficient care was taken to prevent the disclosure of personal details such as telephone numbers and email addresses.

When

18 Apr 2012

Links

View PDF of the Brecon Beacons National Park Authority Undertaking (Via ICO Website)

View PDF of the Brecon Beacons National Park Authority Undertaking (Breach Watch Archive)

Leicestershire County Council

What

Loss of sensitive personal data.

How much

18 records.

Why

A briefcase, containing documents to be used for initiating court proceedings, was stolen from a social worker’s house during a burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that existing policies should be amended to include detailed guidance relating to the security of paper documents whilst home working and that staff receive sufficient training and follow these guidelines.

Reason for action

While the social worker had asked for, and received, permission from his manager to take the documents home with him, policies had been put in place to train staff in how to secure documents outside of the office. While the manager had received this training, the social worker had not.

When

17 Apr 2012

Links

View PDF of the Leicestershire County Council Undertaking (Via ICO Website)

View PDF of the Leicestershire County Council Undertaking (Breach Watch Archive)

Hertfordshire County Council

What

Loss of sensitive personal data.

How much

Unknown.

Why

An Attendance and Pupil Support consultation folder was lost in January 2011.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices used to store personal data are sufficiently encrypted. Hard copy documentation must only be removed from council premises when absolutely necessary.

Reason for action

Despite the incident occurring in January 2011, the relevant department within the Council did not share the outcome of their investigation with the Data Protection Team until August 2011. The investigation also revealed that the officer who lost the folder was transporting excessive information.

When

11 Apr 2012

Links

View PDF of the Hertfordshire County Council Undertaking (Via ICO Website)

View PDF of the Hertfordshire County Council Undertaking (Breach Watch Archive)