The Highland Council

What
Loss of sensitive personal data.

How much
A few records.

Why

Sensitive personal data relating to several members of one family had been inadvertently disclosed, to an unrelated individual. This occurred because several members of both families, who lived in the same small village, submitted subject access requests to the data controller at roughly the same date.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that a full briefing of subject access requests is provided to covering officers and a formal log of all requests is kept and made easily accessible.

Reason for action

The officer who usually dealt with such requests went on leave before full responses had been sent, and enquiries revealed that the covering officer had not been made aware that more than one request was outstanding from someone in the village. When information relating to one family was provided the covering officer assumed it was related to the other family, to whom he had earlier sent some documents left for him by his absent colleague.

When
17 March 2010

Links
View PDF of the Highland Council Undertaking (Breach Watch Archive)

The Lancaster Constabulary

Breach details

What Loss of sensitive personal data.
How much “Several” records.
When 17 July 2011
Why xxx.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that hard copy documentation contains the minimum amount of personal data necessary and is only taken out of the station when absolutely necessary. A written policy detailing these responsibilities must be produced and staff must be trained in these policies.
When 14 March 2012

Why the regulator acted

Breach of act Report lost and printed in a newspaper. Inappropriate organisational and technical measures.
Known or should have known Policies in place marked such data as highly sensitive, but no policies were in place to cover security outside of the station.
Likely to cause damage or distress Report related to vulnerable children and sex crimes.

Enable Scotland (Leading the Way)

What

Loss of sensitive personal data.

How much

101 records.

Why

Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.

Reason for action

The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.

When

09 March 2012.

Links

View PDF of the Enable Scotland (Leading the Way) Undertaking (Via ICO Website)

View PDF of the Enable Scotland (Leading the Way) Undertaking (Breach Watch Archive)

Zurich Insurance plc

What
Loss of personal data.

How much
6,800 records.

Why

Unencrypted backup tape lost by the data processor.

Regulator
ICO

Regulatory action

Undertaking issued to ensure that where any future movement of backup tapes is required appropriate data security measures, including encryption, are taken. Staff and external contractors must be made aware of security procedures and trained to follow them. Adequate checks must be carried out on contractor’s staff and effective controls must be put in place to monitor and report potential or actual data loss activity.

Reason for action

Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.

When
7 March 2010

Links
View PDF of the Zurich Insurance plc Undertaking (Breach Watch Archive)

Community Integrated Care

What

Loss of personal and sensitive personal data.

How much

40 records.

Why

Theft of an unencrypted laptop from a locked ground floor office in the Newcastle area.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile devices including laptops are encrypted to a sufficient standard. Physical security standards must be adequate to prevent unauthorised access to personal data.

Reason for action

The stolen laptop was password protected, but had not been encrypted, However the data controller proposed to improve physical software and implement encryption as a result of the incident.

When

01 March 2012.

Links

View PDF of the Community Integrated Care Undertaking (Via ICO Website)

View PDF of the Community Integrated Care Undertaking (Breach Watch Archive)

Durham University

What

Loss of personal data.

How much

Unknown.

Why

Training manuals posted on the data controller’s website contained actual, rather than fictitious or anonymised personal data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that no documents containing personal data shall be placed on the data controller’s website and that staff will be made aware of IT security policies by no later than the 30th of September 2012.

Reason for action

The breach was discovered in July 2011 but the manuals had been live on the website since February 2011. During the investigation it became clear that only around 20% of staff had made use of the training materials available to them.

When

01 March 2012.

Links

View PDF of the Durham University Undertaking (Via ICO Website)

View PDF of the Durham University Undertaking (Breach Watch Archive)

London Borough of Croydon

What

Loss of sensitive personal data.

How much

Unknown.

Why

A bag belonging to a social worker employed in the Council’s Children and Young Peoples’ Department was stolen from a public house in London. The bag contained a hard copy file of papers concerning a child in the care of the council.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will draft and implement a formal policy covering the storage, physical security, transportation, use and disposal of personal data outside of the office environment. Compliance with this policy must be monitored.

Reason for action

The Information Commissioner concluded that an apparent lack of effective controls and procedures for taking information out of the office was a major contributor to the loss of highly personal data. It was also felt that further staff trained was needed.

When

01 March 2012.

Links

View PDF of the London Borough of Croydon Undertaking (Via ICO Website)

View PDF of the London Borough of Croydon Undertaking (Breachwatch Archive)

Dr. Pervinder Sanghera of Arthur House Dental Care

What

Loss of personal and limited sensitive personal data.

How much

Unknown.

Why

An unencrypted USB stick containing records relating to patients and employees of Arthur House Dental Care was found in a public place. A number of spreadsheets containing personal data stored on the device were password protected.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store and transport personal data are sufficiently encrypted. Staff must be trained not to take data off site unless necessary.

Reason for action

The memory stick had been utilised as a temporary back-up solution when the existing electronic back-up system at the practice failed. As a result of the back-up failure the memory stick was moved from the dental practice to the data controller’s home for safekeeping on a number of occasions. It is likely the memory stick was lost in transit.

When

01 March 2012.

Links

View PDF of the Dr. Previnder Sanghera Undertaking (Via ICO Website)

View PDF of the Dr. Previnder Sanghera Undertaking (Breach Watch Archive)

Cheshire East Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One record.
When April 2011
Why An email containing sensitive personal information relating to an individual of concern to the police was distributed to 180 unintended recipients, due to mistaken forwarding of the email, following errors of communication in the “Potentially Dangerous Person Unit”.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 15 February 2012

Why the regulator acted

Breach of act Sensitive email mistakenly forwarded to over 180 recipients.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitivity of their work by its very definition, yet an assistant officer had not received any data protection training.
Likely to cause damage or distress Details could jeopardise the data subject’s livelihood.

Croydon Council

Breach details

What Croydon Council.
How much One record.
When 20 April 2011
Why A social worker’s bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. The data controller did not appear to have provided any information security training to the social worker involved and the onus was on staff to update their own knowledge and read the data controller’s policies in the intranet. No checks were made to ensure that staff had read or understood these police.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 13 Fenruary 2012

Why the regulator acted

Breach of act Loss of papers, which could disrupt an ongoing legal case.
Inappropriate organisational and technical measures.
Known or should have known It was clear staff would need to take sensitive data outside of the office, but there were no policies in place to ensure this was done securely.
Likely to cause damage or distress Information related to an ongoing legal case.