Newcastle Youth Offending Team

What

Loss of sensitive personal data.

How much

100 records.

Why

Theft of an unencrypted laptop from a home address of an employee of a hired data processor.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all data processors contracted on the data controllers behalf comply with the principles of the Act and in particular that all potable media devices are sufficiently encrypted.

Reason for action

The data controller did not have an appropriate contract in place with the data processor which stipulated the need to encrypt devices containing personal data.

When

28 October 2011.

Links

View PDF of the Newcastle Youth Offending Team Undertaking (Via ICO Website)

View PDF of the Newcastle Youth Offending Team Undertaking (Breach Watch Archive)

Dumfries and Galloway Council

What

Accidental online disclosure of staff’s personal information.

How much

887 records.

Why

Records were accidently published online in response to a Freedom of Information (Scotland) Act request.

Regulator

ICO

Regulatory action

Undertaking issued to undergo an externally commissioned audit and to put it place checks to prevent another such occurrence.

Reason for action

Insufficient measures were taken to prevent an accidental loss of unsecured personal information.

When

17 October 2011.

Links

View PDF of the Dumfries and Galloway Council Undertaking (Via ICO Website)

View PDF of the Dumfries and Galloway Council Undertaking (Breach Watch Archive)

Eastleigh Borough Council

What

Potential loss of sensitive personal data.

How much

“Several”

Why

A member of the press claimed to have received a list containing sensitive personal information – the extent of this information and how he obtained it are “unclear”.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that personal information kept on the list is minimised and it is kept more secure.

Reason for action

The list contained excessive personal information for its purposes.

When

20 September 2011.

Links

View PDF of the Eastleigh Borough Council Undertaking (Via ICO Website)

View PDF of the Eastleigh Borough Council Undertaking (Breach Watch Archive)

Royal Liverpool and Broadgreen University Hospitals NHS Trust

What

Loss of sensitive personal data on two occasions.

How much

22 records and 27 records.

Why

  • Ward handover sheets were discovered in a street near the hospital.
  • A clinic bag containing paper documents was stolen from a staff members’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the requirements for keeping data secure.

Reason for action

Both occasions seem to have been caused by staff failing to take the proper precautions.

When

15 September 2011.

Links

View PDF of the Royal Liverpool and Broadgreen University Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Liverpool and Broadgreen University Hospitals NHS Trust Undertaking (Breach Watch Archive)

Walsall Council

What

Accidental disposal of personal data.

How much

951 records.

Why

The appointed data processor accidentally disposed of postal vote statements in a skip.

Regulator

ICO

Regulatory action

Undertaking issued to insure that in the future a written contract exists between data processors and the controller.

Reason for action

There was no written contract between the data controller and the data processor..

When

09 September 2011.

Links

View PDF of the Walsall Council Undertaking (Via ICO Website)

View PDF of the Walsall Council Undertaking (Breach Watch Archive)

Luton Borough Council

What

Discovery of flawed encryption.

How much

None

Why

A flaw in the encryption of memory sticks allowed them to be reformatted, removing the encryption.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all encryption is up to a sufficient standard.

Reason for action

Encryption was of an insufficient standard and this was only discovered during a recall of old devices.

When

02 September 2011.

Links

View PDF of the Luton Borough Council Undertaking (Via ICO Website)

View PDF of the Luton Borough Council Undertaking (Breach Watch Archive)

London Borough of Greenwich

What

Two incidents of disclosure of sensitive personal information.

How much

Two records.

Why

Information sent to incorrect email addresses.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the Council’s IT policy specifically makes it clear that data is not to be sent to personal emails.

Reason for action

Both incidents saw staff fail to adhere to the Council’s IT policy, regarding the encryption of data. However the policy did not explicitly prevent the sending to data to personal emails.

When

10 August 2011.

Links

View PDF of the London Borough of Greenwich Undertaking (Via ICO Website)

View PDF of the London Borough of Greenwich Undertaking (Breach Watch Archive)

Lewisham Council and Wandle Housing Association

What

Loss of personal data.

How much

20,000 records.

Why

Loss of an unencrypted memory stick in a London pub.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is not transferred onto unencrypted personal media devices.

Reason for action

Staff were insufficiently trained and unaware of the dangers of copying sensitive information to personal, unsecure, devices.

When

04 August 2011.

Links

View PDF of the Lewisham Council Undertaking (Via ICO Website)

View PDF of the Lewisham Council Undertaking (Breach Watch Archive)

View PDF of the Wandle Housing Association Undertaking (Via ICO Website)

View PDF of the Wandle Housing Association Undertaking (Breach Watch Archive)

Kirklees Metropolitan Council

What

Personal data unnecessarily disclosed.

How much

18 records.

Why

Records let visible in an employees’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient security measures are implemented and checked to prevent inappropriate disclosure of personal data.

Reason for action

Similar accidental disclosures had already occurred during the past year and insufficient measures had been put into place to prevent any reoccurrences.

When

29 July 2011.

Links

View PDF of the Kirklees Metropolitan Council Undertaking (Via ICO Website)

View PDF of the Kirklees Metropolitan Council Undertaking (Breach Watch Archive)

Lancashire Police Authority

What

Loss of sensitive personal data.

How much

Unknown.

Why

Sensitive personal data was accidentally published on the data controller’s website.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient training and security measures are put into place to prevent accidental disclosure of sensitive data.

Reason for action

The data controller was insufficiently familiar with the relatively new system being used to publish their website and failed to take immediate action having been made aware of the error.

When

19 July 2011.

Links

View PDF of the Lancashire Police Authority Undertaking (Via ICO Website)

View PDF of the Lancashire Police Authority Undertaking (Breach Watch Archive)