E*Trade Securities Ltd.

What

Loss of sensitive personal data.

How much

608 records.

Why

Files containing personal data relating to clients in the Middle East were identified as missing from storage in the UK having been couriered from ETSL-Dubai.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any processing of personal data carried out by a data processor on behalf of the data controller is carried out under a contract made and evidenced in writing and that a detailed record of all personal data couriered internally is kept.

Reason for action

The investigation revealed that the data controller had no contractual agreement “made and evidenced in writing” with their UK data processor, nor had instructions on the security and processing of this personal data provided.

When

03 February 2012.

Links

View PDF of the E*Trade Securities Ltd. Undertaking (Via ICO Website)

View PDF of the E*Trade Securities Ltd. Undertaking (Breach Watch Archive)

Midlothian Council

Breach details

What Inappropriate disclosure of sensitive personal data on five separate occasions.
How much Five records.
When March 2011
Why Personal data relating to children and their carer were sent to the wrong recipients on five separate occasions.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 140,000
When 30 01 2012

Why the regulator acted

Breach of act Multiple letters were sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the first breach the risk was clear, yet 4 more breaches occurred over the next month.
Likely to cause damage or distress Personal information of vulnerable individuals.

Manpower UK Ltd

What

Inappropriate disclosure of personal data.

How much

400 records.

Why

A spreadsheet containing 400 people’s personal details was accidentally email to 60 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of policies regarding the transmission of personal data via email, included the need to password protect or encrypt the data according to the sensitivity of the data and the risk to the data subjects.

Reason for action

The employee had initially believed that the spreadsheet contained only the employee numbers of those 60 staff. However the data was transmitted unsecured over the internet and it could not be confirmed that all recipients had deleted the email as requested

When

20 January 2012.

Links

View PDF of the Manpower UK Ltd Undertaking (Via ICO Website)

View PDF of the Manpower UK Ltd Undertaking (Breach Watch Archive)

Chartered Institute of Public Relations

What

Loss of sensitive personal data.

How much

30 records.

Why

30 Membership forms were lost on a train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a document is created that clearly outlines all employees’ responsibilities in terms of the storage, transmission, use and disposal of personal data. All necessary amendments must be made by 31 January 2012

Reason for action

The organisation did not have a written policy in place for handling personal data outside of the office at the time of incident.

When

18 January 2012.

Links

View PDF of the Chartered Institute of Public Relations Undertaking (Via ICO Website)

View PDF of the Chartered Institute of Public Relations Undertaking (Breach Watch Archive)

Praxis Care Limited

What

Loss of sensitive personal data.

How much

160 records.

Why

An unencrypted USB memory stick used as a backup and transfer device by an employee was lost on the Isle of Man.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all personal media devices used to store or transport personal data are sufficiently encrypted.

Reason for action

The data controller acted swiftly to ascertain exactly what data was on the missing USB stick and appropriate support was provided to the effected subjects, No reports of adverse consequences from the data loss have been received.

When

18 January 2012.

Links

View PDF of the Praxis Care Limited Undertaking (Via ICO Website)

View PDF of the Praxis Care Limited Undertaking (Breach Watch Archive)

Powys County Council

Breach details

What Disclosure of sensitive personal information.
How much 19 records.
When 4 February 2011
Why A member of the public received a children protection report on an unrelated child along with a document concerning her own child due to an employee of the data controller accidentally mixed in another colleague’s work when collecting printing from a shared printer. Although the Data Controller had said that they considered Data Protection training vital they had not made the completion of such training mandatory. This was the second of such incidents.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 130,000
Enforcement Notice Issued to ensure that by 31 March 2012 all staff with access to personal data must undergo full data protection training and that an accurate record must be kept of this training
When 6 December 2011

Why the regulator acted

Breach of act Data sent to an incorrect recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the previous breach the risk was clear, but insufficient measures were taken to prevent this second breach.
Likely to cause damage or distress Data related to a child and has the potential for misuse.

Richard Dominic Preston

What

Loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted laptop from the data controller’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store personal data are encrypted to a sufficient standard.

Reason for action

Although much of the data on the laptop would have been in the public domain, it included email correspondence relating to legal cases.

When

06 December 2011.

Links

View PDF of the Richard Dominic Preston Undertaking (Via ICO Website)

View PDF of the Richard Dominic Preston Undertaking (Breach Watch Archive)

Alan M Casson & Associates

What

Loss of sensitive personal data.

How much

8,000 records.

Why

Theft of two unencrypted laptops and back up media during a burglary of premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that physical security measures are sufficient to prevent unauthorised access to persona data and that all portable media devices must be encrypted to a suitable standard.

Reason for action

While the laptops were kept in a locked cupboard and the backup media in a safe (which was stolen) the data controller was in the process of upgrading their security to include encryption, but the theft occurred before this could be put into practice.

When

06 December 2011.

Links

View PDF of the Alan M Casson & Associates Undertaking (Via ICO Website)

View PDF of the Alan M Casson & Associates Undertaking (Breach Watch Archive)

Godalming College

What

Inappropriate disclosure of sensitive personal data.

How much

Unknown.

Why

An email with an attachment containing sensitive personal data was inadvertently sent to lower-sixth form students rather than their tutors. The email was only intended to contain a link to the attachment.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any documents containing personal data relating to students will only be provided to staff on a “need to know” basis and will not, in any event, be transmitted via email unless encrypted.

Reason for action

Although efforts were made to delete or recall the email, some students had already saved or forwarded the attachment and some media publicity resulted.

When

06 December 2011.

Links

View PDF of the Godalming College Undertaking (Via ICO Website)

View PDF of the Godalming College Undertaking (Breach Watch Archive)

Worcestershire County Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much “A large number” of records.
When Unknown
Why A member of staff accidently clicked on an additional contact list while sending out an email intended for internal use and so two spreadsheets containing sensitive personal information were sent to 23 registered care providers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 28 November 2011

Why the regulator acted

Breach of act Staff were not provided with sufficient training and internal and external email distribution lists were not clearly differentiated.
Inappropriate organisational and technical measures.
Known or should have known Employees routinely dealt with confidential and sensitive personal data and manages should have realised the potential for human error when selecting emails lists.
Likely to cause damage or distress Details of vulnerable young adults.