Doncaster Metropolitan Borough Council

What

Inappropriate disclosure of personal information.

How much

39 records.

Why

A document containing personal details was provided during court proceedings to the defendant without the appropriate redactions in place.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures for dealing with subject access requests are clearly defined, managed, and checked.

Reason for action

This was the second time such an event had occurred.

When

25 February 2011.

Links

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Breach Watch Archive)

Aramark Ltd.

What

Loss of personal information.

How much

109 records.

Why

Paperwork and an unencrypted laptop were stolen in-transit.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and are only taken off site when absolutely necessary.

Reason for action

Although the laptop was password protected, this was insufficient security, given the sensitive nature of the data it contained

When

24 February 2011.

Links

View PDF of the Aramark Ltd. Undertaking (Via ICO Website)

View PDF of the Aramark Ltd. Undertaking (Breach Watch Archive)

Ms Phillimore, a barrister

What

Loss of sensitive personal information.

How much

“A sizeable quantity”

Why

Theft of two hard copy folders of case files from her car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that appropriate physical security measures are taken to protect physical data – in particular data must not be left outside the chambers overnight.

Reason for action

The data should never have been disposed of in a skip. The data controller had a written contract with a third party for the disposal of confidential waste, but on this occasion there was confusion as to the confidential nature of the waste.

When

23 March 2011.

Links

View PDF of Ms Phillimore’s Undertaking (Via ICO Website)

View PDF of Ms Phillimore’s Undertaking (Breach Watch Archive)

Cambridgeshire County Council

What

Loss of sensitive personal information.

How much

A minimum of six records.

Why

An unencrypted memory stick containing the records was lost by a member of staff.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made fully aware policies related to the encryption of portable media devices.

Reason for action

Employees were issued with encrypted memory sticks, but following a technical difficulty with the encryption function the employee used an unencrypted and unauthorised device.

When

23 February 2011.

Links

View PDF of the Cambridgeshire County Council Undertaking (Via ICO Website)

View PDF of the Cambridgeshire County Council Undertaking (Breach Watch Archive)

Identity and Password Service

What

Loss of sensitive personal information.

How much

21 records.

Why

21 password renewal applications were lost from a particular passport office.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that reasonable steps are taken to ensure the security of data while it is processed.

Reason for action

All those effected were notified and received new passwords without complaint, however the incident demonstrated insufficiently secure processing of personal data

When

21 February 2011.

Links

View PDF of the Isle of Identity and Password Service Undertaking (Via ICO Website)

View PDF of the Isle of Identity and Password Service Undertaking (Breach Watch Archive)

Isle of Anglesey County Council

What

Loss of sensitive personal information.

How much

Unknown.

Why

Undertaking issued to ensure that any processing of data by another party in carried out under a written contract with instructions regarding security and processing clearly outlined.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The data controller has no written contract in place with the data processor, nor had the controller provided instructions on the security and processing of the data. Both of these violate the Act.

When

18 February 2011.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)

Gwent Police

What

Loss of sensitive personal information.

How much

863 records.

Why

An email containing a spreadsheet intended for 5 police colleagues was accidently forwarded to a website journalist.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The auto-complete function of the email suggested the email address of the journalist and this error was not corrected. Moreover the member of staff was found to have previously displayed a “cavalier” attitude to IT security policies.

When

11 February 2011.

Links

View PDF of the Gwent Police Undertaking (Via ICO Website)

View PDF of the Gwent Police Undertaking (Breach Watch Archive)

Ealing Council

Breach details

What Loss of sensitive personal information.
How much 958 records.
When 2010
Why Theft of two unencrypted laptops (one work-issued, one personal) from a staff member’s home. The employee had been involved in a breach before, but no remedial action was taken. No home working risk assessment undertaken (although this was in policy).

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 08 February 2011

Why the regulator acted

Breach of act Unencrypted tapes were stolen, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known Data controller was aware of the possible consequences of the such an event, since policies were in place requiring home assessment and encryption of laptops. Both these policies were breached.
Likely to cause damage or distress Personal data of clients.

Hounslow Council

Breach details

What Loss of sensitive personal information.
How much 698 records.
When 2010
Why Theft of unencrypted laptop from staff member’s home. There was no written contract in place with Ealing Council who processed the data.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 8 February 2011

Why the regulator acted

Breach of act Theft of unencrypted laptop.
Inappropriate organisational and technical measures.
Known or should have known There were no policies requiring the encryption of laptops and the data processors policies were not monitored, despite the data controller having their own Information Security Policy.
Likely to cause damage or distress Personal information of clients.

NHS Blood and Transplant

What

Loss of sensitive personal information.

How much

444,031 records

Why

Organ donation preferences were recorded incorrectly due to a software error.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data must be routinely checked for accuracy.

Reason for action

The software error had been introduced into the system early in 1999 and had not been uncovered in the years that followed due to a lack of data checks.

When

21 January 2011

Links

View PDF of the NHS Blood and Transplant Undertaking (Via ICO Website)

View PDF of the NHS Blood and Transplant Undertaking (Breach Watch Archive)