Norfolk Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One records.
When April 2011
Why A social worker in the Data Controller’s Children’s Service’s department intended to deliver a copy of a report on a conference to a child’s father, but accidently wrote the wrong address on an envelope and placed it through the door of the father’s neighbour. Although a policy was in place to provide guidance about sending personal data by post it was possible that the social worker was unaware of this as she had only been working in the department for 9 months and had not completed the mandatory e-training course on data protection. No process was in place to monitor trainin.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 13 February 2012

Why the regulator acted

Breach of act Even had policy been followed there was nothing to prevent the incorrect delivery of the wrongly addressed letter.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such self-evidently sensitive information, but no policies were in place to prevent a breach.
Likely to cause damage or distress Data related to the physical and emotional well-being of a child.

Turning Point

What

Loss of personal data.

How much

Three records.

Why

Three service user’s files were lost following the relocation of premises. It is believed that that the files were unintentionally destroyed in confidential waste.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any policies introduced in relation to the storage, movement and use of personal data are implemented and communicated in all Turning Point offices.

Reason for action

Inquiries revealed that this was the second incident of the same nature within a year and despite implementing a number of safeguards during this relocation, there was no formal written policy in place to cover the relocation of files containing personal data.

When

10 February 2012.

Links

View PDF of the Turning Point Undertaking (Via ICO Website)

View PDF of the Turning Point Undertaking (Breach Watch Archive)

Fairbridge

What

Loss of personal data on two occasions.

How much

325 and 16 records.

Why

On two separate occasions password protected, but unencrypted laptops were lost. One was left on a bus and the second was reported missing by an employee while boarding a plane in a Spanish airport.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted.

Reason for action

Whilst neither laptop has been recovered to date they did not contain any sensitive personal data. Since the incident occurred the data controller has ensured the encryption of mobile devices that contain personal data and provided all employees with data protection training.

When

10 February 2012.

Links

View PDF of the Fairbridge Undertaking (Via ICO Website)

View PDF of the Fairbridge Undertaking (Breach Watch Archive)

Craven District Council

What

Loss of personal data.

How much

2,300 records.

Why

An unencrypted laptop containing a database with child swimming lessons was stolen from a ground level office at a swimming pool.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted. These devices must be secured when not in use.

Reason for action

Despite several security devices and the rapid arrival of police officers the thief was able to remove the laptop and escape, as the laptop was left unsecured on a desk in a position where it could be seen from outside the office.

When

10 February 2012.

Links

View PDF of the Craven District Council Undertaking (Via ICO Website)

View PDF of the Craven District Council Undertaking (Breach Watch Archive)

Bolton Council

What

Loss of sensitive personal data.

How much

“Several”

Why

A rucksack contained hard copy documentation relating to several individuals was stolen from a keyworker’s car. A second incident was also reported during when an email was sent in error to several hundred people containing a full occupational health form for one player.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that hard copy documentation is only removed from the office or secure storage when absolutely necessary and must contain the minimum amount of personal data required. Thorough risk assessments are to be completed for all mobile working arrangements.

Reason for action

  • In the case of the first incident it was discovered that the carrying significantly more paperwork than necessary without the knowledge of management. Investigations revealed that despite the fact that many employees are predominantly mobile workers the implications of how to handle data in a mobile environment had been insufficiently considered. Employees had however received appropriate training relating to the removal of personal data from the office.
  • In the second incident it transpired that autofill is often used when sending emails and that existing email groups do not differentiate between internal and external addresses.

When

10 February 2012.

Links

View PDF of the Bolton Council Undertaking (Via ICO Website)

View PDF of the Bolton Council Undertaking (Breach Watch Archive)

Dacorum Borough Council

What

Loss of sensitive personal data.Loss of sensitive personal data.

How much

1,000 records.

Why

An unencrypted hard drive was stolen from an adventure playground following a burglary. It contained registration documents relating to about 1000 children who have attended the playground.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of the data controller’s policy for the storage and use of personal data. Personal data must not be retained any longer than relevant and must be disposed of in a secure manner once no longer needed.

Reason for action

The Commissioner’s enquiries revealed that the registration documents were stored on the desktop and were not password protected. The previous password protection had been removed when a member of staff left the Council and was not restored. It was also revealed that no annual review of the database had been performed, resulting is registration documents not being deleted in line with the Council’s retention policy.

When

10 February 2012.

Links

View PDF of the Dacorum Borough Council Undertaking (Via ICO Website)

View PDF of the Dacorum Borough Council Undertaking (Breach Watch Archive)

Brighton and Hove Council

What

Loss of sensitive personal data.

How much

Records relating to up to seven families.

Why

Theft of an unencrypted laptop during a burglary and on a separate occasion details of an employee’s income and salary deductions was accidently emailed to 2,821 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that that all portable media devices are suitably encrypted and appropriate administrative measures are put into place to control employee use of email groups.

Reason for action

The laptop was stolen from the home of a sessional worker, a casual employee under contract for a specific assignment. The data sent to the worker was supposed to have been anonymised, but had not been.

When

10 February 2012.

Links

View PDF of the Brighton and Hove Council Undertaking (Via ICO Website)

View PDF of the Brighton and Hove Council Undertaking (Breach Watch Archive)

Basingstoke and Deane Borough Council

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)

Southampton City Council

What
Breach of the Data Protection Act

How much
Unknown.

Why
The data controller required taxi operators to record all conversations and images while the vehicles were in use.

Regulator
ICO

Regulatory action
Enforcement Notice issued, requiring the data controller to erase any personal data in the audio recordings that have already been obtained and held, and refrain from recording any such personal data in the future.

Reason for action
The recording policy was considered unnecessary and fundamentally invasive to private individuals using the car, be they driver or passenger.

The Enforcement notice was upheld on appeal to the first-tier (Information Rights) tribunal.When
7 February 2012

Links
View PDF of the Southampton City Council Enforcement Notice (Via ICO Website)

View PDF of the Southampton City Council Enforcement Notice (Breach Watch Archive)

Staffordshire County Council

What
Breach of the Data Protection Act

How much
Unknown.

Why
The data controller failed to respond to an individual’s subject access request in the prescribed period of 40 days.

Regulator
ICO

Regulatory action
Enforcement Notice issued, requiring the data controller to supply the individual with a copy of a document within 35 days of the Notice being issued.

Reason for action
The data controller failed to inform the individual, without undue delay, whether personal data relating to him was being processed by it or on its behalf.

When
7 February 2012

Links
View PDF of the Staffordshire County Council Enforcement Notice (Via ICO Website)

View PDF of the Staffordshire County Council Enforcement Notice (Breach Watch Archive)