The Highland Council

What
Loss of sensitive personal data.

How much
A few records.

Why

Sensitive personal data relating to several members of one family had been inadvertently disclosed, to an unrelated individual. This occurred because several members of both families, who lived in the same small village, submitted subject access requests to the data controller at roughly the same date.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that a full briefing of subject access requests is provided to covering officers and a formal log of all requests is kept and made easily accessible.

Reason for action

The officer who usually dealt with such requests went on leave before full responses had been sent, and enquiries revealed that the covering officer had not been made aware that more than one request was outstanding from someone in the village. When information relating to one family was provided the covering officer assumed it was related to the other family, to whom he had earlier sent some documents left for him by his absent colleague.

When
17 March 2010

Links
View PDF of the Highland Council Undertaking (Breach Watch Archive)

London Borough of Croydon

What

Loss of sensitive personal data.

How much

Unknown.

Why

A bag belonging to a social worker employed in the Council’s Children and Young Peoples’ Department was stolen from a public house in London. The bag contained a hard copy file of papers concerning a child in the care of the council.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will draft and implement a formal policy covering the storage, physical security, transportation, use and disposal of personal data outside of the office environment. Compliance with this policy must be monitored.

Reason for action

The Information Commissioner concluded that an apparent lack of effective controls and procedures for taking information out of the office was a major contributor to the loss of highly personal data. It was also felt that further staff trained was needed.

When

01 March 2012.

Links

View PDF of the London Borough of Croydon Undertaking (Via ICO Website)

View PDF of the London Borough of Croydon Undertaking (Breachwatch Archive)

Cheshire East Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One record.
When April 2011
Why An email containing sensitive personal information relating to an individual of concern to the police was distributed to 180 unintended recipients, due to mistaken forwarding of the email, following errors of communication in the “Potentially Dangerous Person Unit”.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 15 February 2012

Why the regulator acted

Breach of act Sensitive email mistakenly forwarded to over 180 recipients.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitivity of their work by its very definition, yet an assistant officer had not received any data protection training.
Likely to cause damage or distress Details could jeopardise the data subject’s livelihood.

Croydon Council

Breach details

What Croydon Council.
How much One record.
When 20 April 2011
Why A social worker’s bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. The data controller did not appear to have provided any information security training to the social worker involved and the onus was on staff to update their own knowledge and read the data controller’s policies in the intranet. No checks were made to ensure that staff had read or understood these police.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 13 Fenruary 2012

Why the regulator acted

Breach of act Loss of papers, which could disrupt an ongoing legal case.
Inappropriate organisational and technical measures.
Known or should have known It was clear staff would need to take sensitive data outside of the office, but there were no policies in place to ensure this was done securely.
Likely to cause damage or distress Information related to an ongoing legal case.

Norfolk Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One records.
When April 2011
Why A social worker in the Data Controller’s Children’s Service’s department intended to deliver a copy of a report on a conference to a child’s father, but accidently wrote the wrong address on an envelope and placed it through the door of the father’s neighbour. Although a policy was in place to provide guidance about sending personal data by post it was possible that the social worker was unaware of this as she had only been working in the department for 9 months and had not completed the mandatory e-training course on data protection. No process was in place to monitor trainin.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 13 February 2012

Why the regulator acted

Breach of act Even had policy been followed there was nothing to prevent the incorrect delivery of the wrongly addressed letter.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such self-evidently sensitive information, but no policies were in place to prevent a breach.
Likely to cause damage or distress Data related to the physical and emotional well-being of a child.

Craven District Council

What

Loss of personal data.

How much

2,300 records.

Why

An unencrypted laptop containing a database with child swimming lessons was stolen from a ground level office at a swimming pool.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted. These devices must be secured when not in use.

Reason for action

Despite several security devices and the rapid arrival of police officers the thief was able to remove the laptop and escape, as the laptop was left unsecured on a desk in a position where it could be seen from outside the office.

When

10 February 2012.

Links

View PDF of the Craven District Council Undertaking (Via ICO Website)

View PDF of the Craven District Council Undertaking (Breach Watch Archive)

Bolton Council

What

Loss of sensitive personal data.

How much

“Several”

Why

A rucksack contained hard copy documentation relating to several individuals was stolen from a keyworker’s car. A second incident was also reported during when an email was sent in error to several hundred people containing a full occupational health form for one player.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that hard copy documentation is only removed from the office or secure storage when absolutely necessary and must contain the minimum amount of personal data required. Thorough risk assessments are to be completed for all mobile working arrangements.

Reason for action

  • In the case of the first incident it was discovered that the carrying significantly more paperwork than necessary without the knowledge of management. Investigations revealed that despite the fact that many employees are predominantly mobile workers the implications of how to handle data in a mobile environment had been insufficiently considered. Employees had however received appropriate training relating to the removal of personal data from the office.
  • In the second incident it transpired that autofill is often used when sending emails and that existing email groups do not differentiate between internal and external addresses.

When

10 February 2012.

Links

View PDF of the Bolton Council Undertaking (Via ICO Website)

View PDF of the Bolton Council Undertaking (Breach Watch Archive)

Dacorum Borough Council

What

Loss of sensitive personal data.Loss of sensitive personal data.

How much

1,000 records.

Why

An unencrypted hard drive was stolen from an adventure playground following a burglary. It contained registration documents relating to about 1000 children who have attended the playground.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of the data controller’s policy for the storage and use of personal data. Personal data must not be retained any longer than relevant and must be disposed of in a secure manner once no longer needed.

Reason for action

The Commissioner’s enquiries revealed that the registration documents were stored on the desktop and were not password protected. The previous password protection had been removed when a member of staff left the Council and was not restored. It was also revealed that no annual review of the database had been performed, resulting is registration documents not being deleted in line with the Council’s retention policy.

When

10 February 2012.

Links

View PDF of the Dacorum Borough Council Undertaking (Via ICO Website)

View PDF of the Dacorum Borough Council Undertaking (Breach Watch Archive)

Brighton and Hove Council

What

Loss of sensitive personal data.

How much

Records relating to up to seven families.

Why

Theft of an unencrypted laptop during a burglary and on a separate occasion details of an employee’s income and salary deductions was accidently emailed to 2,821 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that that all portable media devices are suitably encrypted and appropriate administrative measures are put into place to control employee use of email groups.

Reason for action

The laptop was stolen from the home of a sessional worker, a casual employee under contract for a specific assignment. The data sent to the worker was supposed to have been anonymised, but had not been.

When

10 February 2012.

Links

View PDF of the Brighton and Hove Council Undertaking (Via ICO Website)

View PDF of the Brighton and Hove Council Undertaking (Breach Watch Archive)

Basingstoke and Deane Borough Council

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)