Prospect

Breach details

What Loss of sensitive personal information (Union membership).
How much About 19,000 records.
When 08 Dec 2011
Why Two files containing member data were sent as part of a tendering process to an unknown email address in error. The files were encrypted but the password was also sent seperately to the same address.

BW Comments

This breach illustrates two issues that all Data Controllers need to be aware of. The first is that test data should always be anonymised, not only does it increase the risk of breaching the seventh principle, but it will also breach the first and second principles; although interestingly the ICO only took action in respect of the seventh principle. Secondly, any encryption is only as good as the key (password) management – passwords should always be sent at a minimum by a separate channel.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 16 Jan 2013
Details The data controller to ensure that adequate policies are in place to cover transfer of data to third parties, that such data is minimised and anonymised, that all staff receive data protection training, and that appropriate security measures are in place to protect personal data.

BW Observations

Although this was a sizeable breach of some 19,000 records of sensitive personal data, the ICO obviously decided that an undertaking was more appropriate given the potential harm that could result.

Isle of Anglesey County Council

Breach details

What Loss of personal data and in one case loss of sensitive personal data.
How much Unknown
When Several incidents in early 2012
Why Documents containing personal data were inappropriately disclosed or disposed of, or put at risk of unauthorised access. The council had an out of date data protection policy, and provided insufficient data protection training.

BW Comments

The undertaking is very vague, and doesn’t provide specific details of what happened to cause the data losses, or why.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 20 December 2012
Details The data conroller is to ensure that all policies and procedures are up to date and in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

BW Observations

It is almost as if the council, as part of its self-reporting, suggested the necessary remedial action.

Leeds City Council

Breach details

What Loss of sensitive personal data (child protection).
How much Personal data relating to 4 data subjects.
When 28 July 2011
Why A support assistant, following council policy and re-using an old envelope for internal mail, failed to cross out the original address and later mistakenly put the envelope in the external post tray. As a result, the document was received by an unauthorised individual.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 95,000
When 16 November 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, for example using different styles of envelope for internal and external mail, having a peer checking process and providing appropriate training.
Known or should have known The ICO was satisfied that the Council should have known that that there was a risk that the contravention would occur and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress The contravention was likely to cause substantial distress to at least one of the data subjects, a vulnerable young person, due to the nature of the data involved.

Devon County Council

Breach details

What Loss of sensitive personal data
How much Personal data relating to approximately 22 data subjects.
When 12 May 2011
Why A social worker prepared an adoption panel report using another family’s report as template. The service users forgot to take the report with them after a meeting and requested it be posted. The report used as a template was posted by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 10 December 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, such as having a peer checking process for envelopes containing confidential and sensitive personal data and providing appropriate staff training.
Known or should have known Staff working in the People Services department were used to dealing with such cases and the data controller would have been aware of the confidential and sensitive nature of the personal data they were dealing with on a daily basis.
Likely to cause damage or distress The data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may have been further disseminated and possibly misused, even if those concerns do not actually materialise. Many of the affected individuals were considered to be vulnerable.

London Borough of Lewisham

Breach details

What Loss of sensitive personal data (child protection).
How much Personal data relating to an undisclosed number of data subjects.
When 16 March 2012
Why Case papers relating to a child protection matter were taken out of the office in a plastic bag and were mistakenly left on a train.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 12 December 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council had failed to take appropriate measures against the accidental loss of personal data such as having robust policies/ guidelines in place; training for staff who need to take paper files containing sensitive personal data out of the office; providing security locks for bags and using encrypted USBs.
Known or should have known The council recognised that social workers had a business need to take paper files containing confidential and sensitive personal data out of the office and should have put reasonable measures in place to prevent data loss.
Likely to cause damage or distress The data loss would potentially cause substantial distress to individuals including vulnerable children who may know or suspect that their confidential and highly sensitive personal data has been disclosed; and the contravention could have prejudiced the court hearing of the child protection case.

Tetrus Telecoms – Christopher Niebel and Gary McNeish

Breach details

What Serious breach of the Privacy and Electronic Communications Regulations (PECR).
How much Sent millions of unsolicited text messages.
When From December 2009 onwards.
Why Concealed identity and/or failed to provide a valid ‘cease’ address. Sent automated marketing without the necessary opt-in permissions.

BW Comments

Millions of spam SMS messages sent from over 16,000 SIM cards. There can’t have been anyone in the UK that didn’t receive one of Tetrus’s offers to reclaim PPI or pursue a road accident claim.

Regulatory action

Regulator ICO
Action Christopher Niebel: Monetary penalty of £ 300,000
Gary McNeish: Monetary penalty of £ 140,000
When 28 November 2012

Why the regulator acted

Breach of act Breach of regulations 22(2) and 23 of PECR, characterised by the ICO as “continued, repetitive and deliberate contraventions of the law.”
Known or should have known The Commissioner found evidence that the participants deliberately hid their identity and made no attempt to ensure they had the recipient’s opt-in to receive automated messages.
Likely to cause damage or distress Although most people would agree that the receipt of these unwanted text messages is annoying, the Commissioner argues that they the messages caused damage and distress.

BW Observations

That the individuals concerned deliberately flouted the Privacy and Electronic Communications Regulations is not in doubt. The Commissioner’s arguments in respect of the damage and distress caused are informative.

  1. That although the distress / annoyance caused by each individual SMS sents is small, because of the number of messages sent by Niebel and McNiesh, the cumulative distress suffered by “huge numbers of individuals” equates to substantial distress. It will be interesting to see if this is argued in Mr Nielbel’s appeal to the Information Tribunal (EA/2012/0260).
  2. Some recipients were overseas at the time messages were sent, so had to pay their mobile telecommunications provider additional fees for receiving these SMSs when overseas, resulting in real monetary damage.
  3. People receiving emails about an accident claim may worry about other family members, and such messages also had the potential to be disturbing to people who had been involved in accidents.
  4. The wording used had the potential to cause distress by raising false expectations, e.g. “we know how much you are owed” and “You are almost certainly entitled to £2,300.”

Plymouth City Council

Breach details

What Loss of sensitive personal data (child protection).
How much 2 records.
When 23 November 2011
Why As a result of a printing problem, two seperate reports were taken from a printer by a social worker, treated as single document and passed to a service user.

BW Comments

A control that required a user to enter a code to collect their printout would have stopped this problem happening. Given the sensitive nature of the information printed in a social work environment it is not unreasonable – given the widespread availability and relative low cost of this type of system – to now expect this. Other organisations that frequently print such sensitive information should conduct a risk assessment and look at implementing a manual control (such as peer-review of documents) until an upgrade to their printer software can be deployed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 19 November 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to provide a more secure way of providing access to printout, given the sensitive nature of the information provided.
Known or should have known The ICO’s view was that the Council should have known that any disclosure of such sensitive information would have the potential to be extremely damaging and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress The information concerned child protection and could have have resulted in “physical harm or blackmail”.

BW Observations

It could be argued that the ICO’s argument for the ‘known or should have known’ test has the benefit of hindsight, however the breach occurred because there were no controls in place and not because a in-place control failed.

Prudential Assurance Company

Breach details

What Data integrity – two customers’ records were merged incorrectly.
How much 2 records.
When March 2007 until 24 September 2010
Why Insufficient steps taken to ensure the accuracy of data once the problem had been reported by both customers.

BW Comments

The breach of the fourth principle was not in respect of the original erroneous merge, but that the Data Controller failed to rectify the problem.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 50,000
When 6 November 2012

Why the regulator acted

Breach of act Breach of the fourth data protection principle – customers’ data must be accurate and kept up to date. Despite repeated notification from both customers, the Prudential failed to adequately investigate of rectify the problem.
Known or should have known The ICO’s view was that Prudential, as “a large company in the financial services sector with approximately six million customers” should have been aware that some customers could share the same name and so should have had processes in place to investigate and rectify such an occurrence when this was reported by a customer.
Likely to cause damage or distress The ICO’s view is that disclosure of financial information to a third party with “no right” to see the information was likely to cause “substantial distress”. Actual damage temporarily occurred in that tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account and was moved away from the Prudential (although all funds have since been recovered, and compensation paid).

BW Observations

The first MPN in respect of a breach of the fourth principle. Although the ICO’s reasoning in respect of the degree of damage or distress is debateable, what is interesting is the Commissioner’s reasoning in respect of the s55A(3) ‘known or should have known’ test. The ICO’s argument is not that the Prudential should have had sufficient data integrity controls in place to prevent the problem occurring, but given such an error was probable in a company with six million customers, that there should have been robust procedures in place to properly investigate the customers’ complaints and rectify the situation.

Organisations should consider whether they have the necessary training and systems in place to recognise that what might appear as a simple change of address problem in a front-line system to be identified and investigated as a potential breach of integrity.

Department of Education

Breach details

What Loss of personal information.
How much An unknown number of records.
When 28/29 June 2012
Why The Register reported that Email addresses, unencrypted passwords and individual’s answers to questions posed in a consultation were accesable due to a security flaw in the Department for Education’s website.

BW Comments

Judging by the description in The Register the vulnerability looked like a session management problem. Something that should have been caught be the most rudimentary penetration test.

Regulatory action

Regulator ICO
Action None taken. The Register reported that it had got in touch with the ICO which, while acknowledging that the Department had breached the seventh principle, stated “As the personal information compromised was not sensitive and any distress caused is likely to have been minimal, we have decided that no further enforcement action is required at this time.”

BW Observations

Just because an organisation breaks the DPA the ICO isn’t bound to take action, however BW would have expected the ICO to have sought an undertaking from the Department that it would properly test any web site that collected personal data.

Stoke-on-Trent City Council

Breach details

What Loss of sensitive personal information.
How much 11 records.
When 14 December 2011
Why 11 unencrypted emails relating to a child protection case were sent to the wrong email address by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
Enforcement notice issued to ensure that a training program to make staff aware of data protection security procedure is arranged within 35 days.
When 25 October 2012

Why the regulator acted

Breach of act Failure to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to train employees appropriately and provide a secure means of sending email.
Known or should have known Staff were used to handling confidential and sensitive personal data and the danger of sending unencrypted email, which the data controller was aware was occuring, should have been self evident.
Likely to cause damage or distress Data was confidential and highly sensitive and related to an ongoing legal case.