Basildon and Thurrock University Hospitals NHS Foundation Trust

What

Loss of sensitive personal data.

How much

One record.

Why

Faxes were incorrectly sent to the wrong recipient over a period  of at least a year.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that records are transmitted to GPs in a more secure manner and a ring ahead procedure is implemented.

Reason for action

The Fax was intended for the patient’s GP, but the wrong Fax number was recorded.

When

01 July 2011.

Links

View PDF of the Basildon and Thurrock University Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the Basildon and Thurrock University Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

Surbiton Children’s Central Nursery

What

Loss of personal data.

How much

21 records

Why

A teacher’s bag was stolen containing an unencrypted memory stick and paperwork.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable data devices are encrypted  and that staff only take data off site when absolutely necessary.

Reason for action

The memory stick, containing personal data, was unencrypted.

When

14 June 2011.

Links

View PDF of the Surbiton Children’s Central Nursery Undertaking (Via ICO Website)

View PDF of the Surbiton Children’s Central Nursery Undertaking (Breach Watch Archive)

Surrey Council

Breach details

What Loss of sensitive personal information on three occasions.
How much 241 records.
When May – June 2010
Why Records were accidently sent out in an email copied to a global distribution list, minutes of a confidential strategy discussion erroneously emailed to a newsletter distribution group. Additional records were erroneously emailed to an incorrect internal email group.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
When 9 June 2011

Why the regulator acted

Breach of act Emails were unencrypted and sent to the wrong recipients.
Inappropriate organisational and technical measures.
Known or should have known The risk of incorrect drop down boxes being selected were “self evident”.
Likely to cause damage or distress Records related to special needs.

North Lanarkshire Council

What

Loss of sensitive personal data.

How much

Six records.

Why

A home support worker’s bag which contained hard copies of records relating to vulnerable individuals was stolen.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate security measures and implemented for hard copy documentation and that such documents contain the minimum amount of personal data necessary.

Reason for action

The home support worker’s bag was not locked and further investigation revealed that staff were given insufficient guidance about how to use and transport such documentation.

When

08 June 2011.

Links

View PDF of the North Lanarkshire Council Undertaking (Via ICO Website)

View PDF of the North Lanarkshire Council Undertaking (Breach Watch Archive)

Somerset County Council

What

Loss of sensitive personal data.

How much

One record.

Why

An employee working on two cases inadvertently enclosed one child’s assessment letter to the other family.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

Reason for action

The incident revealed a lack of sufficient checks and controls in areas of the data controller’s operations dealing with significant amounts of personal data.

When

13 May 2011.

Links

View PDF of the Somerset County Council Undertaking (Via ICO Website)

View PDF of the Somerset County Council Undertaking (Breach Watch Archive)

Borough of Poole

What

Loss on sensitive personal information on three occasions.

How much

Three records

Why

Faxes containing  personal information were erroneously sent to the wrong number.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are sufficiently training in both the usage of and policies relating to the transmission of data via, fax machines.

Reason for action

Insufficiently clear instructions and training was provided to staff.

When

19 April 2011.

Links

View PDF of the Borough of Poole Undertaking (Via ICO Website)

View PDF of the Borough of Poole Undertaking (Breach Watch Archive)

Council for Healthcare Regulatory Excellence

What

Possible loss of sensitive personal information.

How much

Three records

Why

Discovery that some hard copy files relating to cases could not be accounted for.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all correspondence regarding personal data is adequately protected and a permanent system for the logging of data is put into place.

Reason for action

It was impossible, due to insufficient data tracking, to be sure if the data had ever been received by the data controller, let alone lost.

When

15 April 2011.

Links

View PDF of the Council for Healthcare Regulatory Excellence Undertaking (Via ICO Website)

View PDF of the Council for Healthcare Regulatory Excellence Undertaking (Breach Watch Archive)

City of York Council

What

Loss of sensitive personal information.

How much

One record.

Why

The information was erroneously included with documentation sent to an unrelated third party.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that documentation containing personal data is not printed when there is no need to do so.

Reason for action

The information was mistakenly collected from a shared printer by an employee who failed to check that the documentation was only for their case. A lack of quality control prevented this error from being discovered until it was too late.

When

05 April 2011.

Links

View PDF of the City of York Council Undertaking (Via ICO Website)

View PDF of the City of York Council Undertaking (Breach Watch Archive)

Wolverhampton City Council

What

Loss of sensitive personal data.

How much

Unknown.

Why

Personal data belonged to the data controller was dumped in a skip, which was later stolen.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the data controller’s policy on the disposal of confidential waste

Reason for action

The data should never have been disposed of in a skip. The data controller had a written contract with a third party for the disposal of confidential waste, but on this occasion there was confusion as to the confidential nature of the waste.

When

15 March 2011.

Links

View PDF of the Wolverhampton City Council Undertaking (Via ICO Website)

View PDF of the Wolverhampton City Council Undertaking (Breach Watch Archive)

Doncaster Metropolitan Borough Council

What

Inappropriate disclosure of personal information.

How much

39 records.

Why

A document containing personal details was provided during court proceedings to the defendant without the appropriate redactions in place.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures for dealing with subject access requests are clearly defined, managed, and checked.

Reason for action

This was the second time such an event had occurred.

When

25 February 2011.

Links

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Breach Watch Archive)