Internet Eyes Limited

What

Loss of personal data.

How much

One record.

Why

A short video from the data controller’s security feed was posted on YouTube in which an individual was clearly recognisable.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that  the transmission of data is sufficiently secure, and that an audit trail is implemented for all users.

Reason for action

The video stream of security footage across the internet was not encrypted and due to the lack of an audit trail it was impossible to determine how the video had been posted.

When

14 June 2011.

Links

View PDF of the Internet Eyes Limited Undertaking (Via ICO Website)

View PDF of the Internet Eyes Limited Undertaking (Breach Watch Archive)

Surbiton Children’s Central Nursery

What

Loss of personal data.

How much

21 records

Why

A teacher’s bag was stolen containing an unencrypted memory stick and paperwork.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable data devices are encrypted  and that staff only take data off site when absolutely necessary.

Reason for action

The memory stick, containing personal data, was unencrypted.

When

14 June 2011.

Links

View PDF of the Surbiton Children’s Central Nursery Undertaking (Via ICO Website)

View PDF of the Surbiton Children’s Central Nursery Undertaking (Breach Watch Archive)

Surrey Council

Breach details

What Loss of sensitive personal information on three occasions.
How much 241 records.
When May – June 2010
Why Records were accidently sent out in an email copied to a global distribution list, minutes of a confidential strategy discussion erroneously emailed to a newsletter distribution group. Additional records were erroneously emailed to an incorrect internal email group.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
When 9 June 2011

Why the regulator acted

Breach of act Emails were unencrypted and sent to the wrong recipients.
Inappropriate organisational and technical measures.
Known or should have known The risk of incorrect drop down boxes being selected were “self evident”.
Likely to cause damage or distress Records related to special needs.

North Lanarkshire Council

What

Loss of sensitive personal data.

How much

Six records.

Why

A home support worker’s bag which contained hard copies of records relating to vulnerable individuals was stolen.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate security measures and implemented for hard copy documentation and that such documents contain the minimum amount of personal data necessary.

Reason for action

The home support worker’s bag was not locked and further investigation revealed that staff were given insufficient guidance about how to use and transport such documentation.

When

08 June 2011.

Links

View PDF of the North Lanarkshire Council Undertaking (Via ICO Website)

View PDF of the North Lanarkshire Council Undertaking (Breach Watch Archive)

Asperger’s Children & Carers Together (ACCT)

What

Loss of sensitive personal data

How much

Unknown.

Why

Theft of an unencrypted laptop from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted

Reason for action

The stolen laptop was unencrypted and investigation revealed that the data controller’s policies and procedures did not fully comply with the Act’s requirements.

When

27 May 2011.

Links

View PDF of the Asperger’s Children & Carers Together Undertaking (Via ICO Website)

View PDF of the Asperger’s Children & Carers Together Undertaking (Breach Watch Archive)

Wheelbase Motor Project

What

Loss of sensitive personal data.

How much

50 records.

Why

Theft of an unencrypted portable hard drive.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted.

Reason for action

Although the format of the hard drive would have been incompatible with most desktop systems and the sensitive files were password protected it was ruled that this was insufficient security

When

27 May 2011.

Links

View PDF of the Wheelbase Motor Project Undertaking (Via ICO Website)

View PDF of the Wheelbase Motor Project Undertaking (Breach Watch Archive)

Co-operative Life Planning Limited

What

Inappropriate disclosure of personal data.

How much

“A substantial volume”

Why

An electronic file containing customer data was sent to a software  support supplier, where it was copied onto the supplier’s own servers.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

Reason for action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

When

26 May 2011.

Links

View PDF of the Co-operative Life Planning Limited Undertaking (Via ICO Undertaking)

View PDF of the Co-operative Life Planning Limited Undertaking (Breach Watch Archive)

Somerset County Council

What

Loss of sensitive personal data.

How much

One record.

Why

An employee working on two cases inadvertently enclosed one child’s assessment letter to the other family.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

Reason for action

The incident revealed a lack of sufficient checks and controls in areas of the data controller’s operations dealing with significant amounts of personal data.

When

13 May 2011.

Links

View PDF of the Somerset County Council Undertaking (Via ICO Website)

View PDF of the Somerset County Council Undertaking (Breach Watch Archive)

Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law

Breach details

What Loss of sensitive personal information.
How much 6,000 records.
When 2009 – May 2010
Why Insufficient measures taken to protect spreadsheets containing personal data, which was made available online following a DDOS attack.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 1,000
When 10 May 2011

Why the regulator acted

Breach of act Unencrypted spreadsheets were placed on a torrent site following a denial of service attack. “Home-use” web service used rather than a business package.
Inappropriate organisational and technical measures.
Known or should have known Data controller was fully aware of the sensitive nature of the data he dealt with and that his business was controversial and unpopular with some. The risk of attack was clear, yet he set up his set without professional IT advice.
Likely to cause damage or distress Financial and medical information of many individuals.

Freehold Community School

What

Loss of personal data.

How much

90 records.

Why

An unencrypted laptop and paper work was stolen from a teacher’s car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted.

Reason for action

The data controller was unaware of the necessity to ensure the encryption of portable media devices.

When

21 April 2011.

Links

View PDF of the Freehold Community School Undertaking (Via ICO Website)

View PDF of the Freehold Community School Undertaking (Breach Watch Archive)