Tag Archives: Third party

Walsall Council

Posted on by

What

Accidental disposal of personal data.

How much

951 records.

Why

The appointed data processor accidentally disposed of postal vote statements in a skip.

Regulator

ICO

Regulatory action

Undertaking issued to insure that in the future a written contract exists between data processors and the controller.

Reason for action

There was no written contract between the data controller and the data processor..

When

09 September 2011.

Links

View PDF of the Walsall Council Undertaking (Via ICO Website)

View PDF of the Walsall Council Undertaking (Breach Watch Archive)

Dunelm Medical Practice

Posted on by

What

Loss of sensitive personal data.

How much

Two records.

Why

Two patient discharge letters were mistakenly sent to an unrelated third party organisation.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that Electronic Discharge letters are only sent by secure email, where possible and that staff are suitably trained.

Reason for action

Records were transmitted by fax and incorrect numbers were used.

When

01 July 2011.

Links

View PDF of the Dunelm Medical Practice Undertaking (Via ICO Website)

View PDF of the Dunelm Medical Practice Undertaking (Breach Watch Archive)

Co-operative Life Planning Limited

Posted on by

What

Inappropriate disclosure of personal data.

How much

“A substantial volume”

Why

An electronic file containing customer data was sent to a software  support supplier, where it was copied onto the supplier’s own servers.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

Reason for action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

When

26 May 2011.

Links

View PDF of the Co-operative Life Planning Limited Undertaking (Via ICO Undertaking)

View PDF of the Co-operative Life Planning Limited Undertaking (Breach Watch Archive)

NHS Liverpool Community Health

Posted on by

What

Loss of sensitive personal information.

How much

31 records

Why

Files were transported in uncollected crates by a removal company which the data controller did not have a contract with.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that written contracts are used whenever third parties might have access to sensitive data and that clear and precise policies will be put into place for how to transport data while moving offices .

Reason for action

Contradictory instructions given to staff members by the removal company lead to confusion as to how the data could be transported, leading to errors made due to short notice.

When

11 April 2011.

Links

View PDF of the NHS Liverpool Community Health Undertaking (Via ICO Undertaking)

View PDF of the NHS Liverpool Community Health Undertaking (Breach Watch Archive)

City of York Council

Posted on by

What

Loss of sensitive personal information.

How much

One record.

Why

The information was erroneously included with documentation sent to an unrelated third party.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that documentation containing personal data is not printed when there is no need to do so.

Reason for action

The information was mistakenly collected from a shared printer by an employee who failed to check that the documentation was only for their case. A lack of quality control prevented this error from being discovered until it was too late.

When

05 April 2011.

Links

View PDF of the City of York Council Undertaking (Via ICO Website)

View PDF of the City of York Council Undertaking (Breach Watch Archive)

Wolverhampton City Council

Posted on by

What

Loss of sensitive personal data.

How much

Unknown.

Why

Personal data belonged to the data controller was dumped in a skip, which was later stolen.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the data controller’s policy on the disposal of confidential waste

Reason for action

The data should never have been disposed of in a skip. The data controller had a written contract with a third party for the disposal of confidential waste, but on this occasion there was confusion as to the confidential nature of the waste.

When

15 March 2011.

Links

View PDF of the Wolverhampton City Council Undertaking (Via ICO Website)

View PDF of the Wolverhampton City Council Undertaking (Breach Watch Archive)

Doncaster Metropolitan Borough Council

Posted on by

What

Inappropriate disclosure of personal information.

How much

39 records.

Why

A document containing personal details was provided during court proceedings to the defendant without the appropriate redactions in place.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures for dealing with subject access requests are clearly defined, managed, and checked.

Reason for action

This was the second time such an event had occurred.

When

25 February 2011.

Links

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Breach Watch Archive)

Isle of Anglesey County Council

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Undertaking issued to ensure that any processing of data by another party in carried out under a written contract with instructions regarding security and processing clearly outlined.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The data controller has no written contract in place with the data processor, nor had the controller provided instructions on the security and processing of the data. Both of these violate the Act.

When

18 February 2011.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)

Hounslow Council

Posted on by

Breach details

What Loss of sensitive personal information.
How much 698 records.
When 2010
Why Theft of unencrypted laptop from staff member’s home. There was no written contract in place with Ealing Council who processed the data.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 8 February 2011

Why the regulator acted

Breach of act Theft of unencrypted laptop.
Inappropriate organisational and technical measures.
Known or should have known There were no policies requiring the encryption of laptops and the data processors policies were not monitored, despite the data controller having their own Information Security Policy.
Likely to cause damage or distress Personal information of clients.

Links

View PDF of the Hounslow Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Hounslow Council Monetary Penalty Notice (Via ICO Website)

Scottish Court Service

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Court documents were discovered at a recycling centre, inappropriately disposed of.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

The papers had been given to a law reporter, but no checks had been made regarding the security of his procedures prior to sharing the data.

When

05 January 2011

Links

View PDF of the Scottish Court Service Undertaking (Via ICO Website)

View PDF of the Scottish Court Service Undertaking (Breach Watch Archive)