Southampton City Council

What
Breach of the Data Protection Act

How much
Unknown.

Why
The data controller required taxi operators to record all conversations and images while the vehicles were in use.

Regulator
ICO

Regulatory action
Enforcement Notice issued, requiring the data controller to erase any personal data in the audio recordings that have already been obtained and held, and refrain from recording any such personal data in the future.

Reason for action
The recording policy was considered unnecessary and fundamentally invasive to private individuals using the car, be they driver or passenger.

The Enforcement notice was upheld on appeal to the first-tier (Information Rights) tribunal.When
7 February 2012

Links
View PDF of the Southampton City Council Enforcement Notice (Via ICO Website)

View PDF of the Southampton City Council Enforcement Notice (Breach Watch Archive)

Staffordshire County Council

What
Breach of the Data Protection Act

How much
Unknown.

Why
The data controller failed to respond to an individual’s subject access request in the prescribed period of 40 days.

Regulator
ICO

Regulatory action
Enforcement Notice issued, requiring the data controller to supply the individual with a copy of a document within 35 days of the Notice being issued.

Reason for action
The data controller failed to inform the individual, without undue delay, whether personal data relating to him was being processed by it or on its behalf.

When
7 February 2012

Links
View PDF of the Staffordshire County Council Enforcement Notice (Via ICO Website)

View PDF of the Staffordshire County Council Enforcement Notice (Breach Watch Archive)

Midlothian Council

Breach details

What Inappropriate disclosure of sensitive personal data on five separate occasions.
How much Five records.
When March 2011
Why Personal data relating to children and their carer were sent to the wrong recipients on five separate occasions.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 140,000
When 30 01 2012

Why the regulator acted

Breach of act Multiple letters were sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the first breach the risk was clear, yet 4 more breaches occurred over the next month.
Likely to cause damage or distress Personal information of vulnerable individuals.

Powys County Council

Breach details

What Disclosure of sensitive personal information.
How much 19 records.
When 4 February 2011
Why A member of the public received a children protection report on an unrelated child along with a document concerning her own child due to an employee of the data controller accidentally mixed in another colleague’s work when collecting printing from a shared printer. Although the Data Controller had said that they considered Data Protection training vital they had not made the completion of such training mandatory. This was the second of such incidents.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 130,000
Enforcement Notice Issued to ensure that by 31 March 2012 all staff with access to personal data must undergo full data protection training and that an accurate record must be kept of this training
When 6 December 2011

Why the regulator acted

Breach of act Data sent to an incorrect recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the previous breach the risk was clear, but insufficient measures were taken to prevent this second breach.
Likely to cause damage or distress Data related to a child and has the potential for misuse.

Worcestershire County Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much “A large number” of records.
When Unknown
Why A member of staff accidently clicked on an additional contact list while sending out an email intended for internal use and so two spreadsheets containing sensitive personal information were sent to 23 registered care providers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 28 November 2011

Why the regulator acted

Breach of act Staff were not provided with sufficient training and internal and external email distribution lists were not clearly differentiated.
Inappropriate organisational and technical measures.
Known or should have known Employees routinely dealt with confidential and sensitive personal data and manages should have realised the potential for human error when selecting emails lists.
Likely to cause damage or distress Details of vulnerable young adults.

North Somerset Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much Two records.
When 12 November 2010
Why A council employee accidently sent five emails (on separate occasions), two of which contained highly sensitive information relating to a child’s serious case review, to the wrong NHS employee.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 28 November 2011

Why the regulator acted

Breach of act Staff not given sufficient information governance training and management should have signed off on emails, ensuring that all sensitive data was encrypted.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to handling confidential and sensitive data and should have been aware of the “self evident” risks of drop down email menus. Repeated breaches demonstrate this fact.
Likely to cause damage or distress Data related to vulnerable individuals and could be misused.

London Borough of Southwark

What

Loss of sensitive personal data.

How much

7,200 records.

Why

An unencrypted iMac and paper records were found by a member of the public in a skip being used to cleanse a decommissioned and vacant property that had previously been part of a complex previously owned by the data controller.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will demonstrate adherence to the action plans to deal with the issue that it has presented to the data commissioner and that it will honour its invitation for the ICO to conduct a data protection audit.

Reason for action

Although the Data Controller demonstrated plans to deal with the breach, the iMac had been missing since 2003 and was unencrypted and any member of the public would have been able to remove the data contained on it.

When

21 November 2011.

Links

View PDF of the London Borough of Southwark Undertaking (Via ICO Website)

View PDF of the London Borough of Southwark Undertaking (Breach Watch Archive)

Central Essex Community Services

What

Loss of sensitive personal data.

How much

249 records.

Why

Loss of a birth book from a locked storage room.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient physical security measures are in place for the storage of paper medical records and compliance with these measures are monitored.

Reason for action

The birth book was supposed to be locked in a filing cabinet in accordance with the data controller’s policy, but it was stored on top of the cabinet due to a lack of storage space.

When

21 November 2011.

Links

View PDF of the Central Essex Community Services Undertaking (Via ICO Website)

View PDF of the Central Essex Community Services Undertaking (Breach Watch Archive)

Oliver Letwin, MP

What

Loss of sensitive personal data.

How much

“Numerous”

Why

The data controller was disposing of documents in public waste bins in St James’ Park.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any documents containing personal data must be disposed in a secure manner, such as shredding, pulping or incineration.

Reason for action

Some of the documents disposed of in the public waste bins included personal information such as names and addresses.

When

15 November 2011.

Links

View PDF of the Oliver Letwin MP Undertaking (Via ICO Website)

View PDF of the Oliver Letwin MP Undertaking (Breach Watch Archive)

Rochdale Metropolitan Borough Council

What

Loss of personal data.

How much

“Thousands”

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issues to ensure that all portable media devices used to store personal data are sufficiently encrypted and that policies and procedures on the storage, processing, transmission and disposal of personal data shall be reviewed and revised by no later than 1 December 2011.

Reason for action

Although much of the data on the USB stick was already available in the public domain it became clear during investigations that data protection training was insufficient and that encrypted memory sticks were not provided in those cases when more private data would have been stored.

When

03 November 2011.

Links

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Breach Watch Archive)