Lancashire County Council

What
Loss of sensitive personal data.

How much
Approximately 33,000 records.

Why
Documents containing a considerable amount of personal data were found in filing cabinet purchased second hand.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that a formal written procedure is produced and implemented to ensure that any office furniture or equipment that is to be moved or disposed of is properly checked for personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The records were duplicates of documents held in the data controller’s office and contained extensive personal data. Enquiries revealed that the data controller had no formal written policy to ensure and document that cabinets or drawers were empty of personal data prior to disposal or removal.

When
11 January 2010

Links
View PDF of the Lancashire County Council Undertaking (Breach Watch Archive)

Bellgrange Mortgages & Insurance Services Ltd

What
Loss of sensitive personal data.

How much
A number of records.

Why
Paper documents containing client details were inappropriately disposed of in waste bins intended for the use of local residents.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The documents were left in the waste bins overnight prior to their collection by the waste disposal contractor. Following their discovery the documents were either returned to Bellgrange or destroyed.

When
9 December 2009

Links
View PDF of the Bellgrange Mortgages & Insurance Services Ltd Undertaking (Breach Watch Archive)

NHS Grampian

What
Loss of sensitive personal data.

How much
About 1,700 records.

Why
Three separate incidents.

  • The inappropriate distribution of an email containing sensitive personal data relating to an individual.
  • Documents containing personal data of around 200 patients and staff were taken from a confidential waste bag.
  • An unencrypted laptop containing the personal data of over 1500 patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transport personal data are suitably encrypted. Any personal data stored on portable devices must be backed up to the network server on a daily basis. Confirmation of success is to be obtained from the IT department and any failure corrected without delay. All staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.

Reason for action

  • A senior nursing manager distributing an email from another senior manager to over 50 other staff without first consulting either the sender of the data controller’s Information Governance Manager.
  • Documents were removed from a confidential waste bag held at a nursing station on the labour ward and sent to the data controller’s Chief Executive, claiming they’d been found in a skip. Investigations revealed that access to this waste could have been gained by staff, patients and even visitors. Many staff were unaware of the correct policies for disposing of sensitive waste.
  • An unencrypted laptop containing the entire database of patients suffering from a particular disease was stolen from a locked office. The laptop had not been successfully backed up to the data controller’s network server in the month prior to the theft, meaning that a small amount of this data was only stored on the laptop.
  • Finally the enquiries into these incidents revealed that certain staff were using home computers for work-related tasks involving personal data and then transferring that work via unencrypted USB sticks, in breach of the data controller’s policies and procedures.

When
3 September 2009

Links
View PDF of the NHS Grampian Undertaking (Breach Watch Archive)

East Cheshire NHS Trust

What
Loss of sensitive personal data.

How much
About 60 records.

Why
Personal data relating to over 60 patients were found in a garden in Newcastle-under-Lyme. This followed an office move during which an external company was retained to clear out scrap and rubbish from vacated premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that in all cases where third party supplies of goods or services will have access to personal data, a written contract must be entered into prior to work beginning which covers data security requirements. Staff must be made aware of the data controller’s policy for the storage and use of personal data and be appropriately trained to follow that policy.

Reason for action
The data controller did not enter into any written contract with the external company, nor where its actions appropriately supervised. It was noted during the clearance operations that boxes of data were being disposed of in open skips, but the data controller failed to react to this in time to prevent loss of some records.

When
27 July 2009

Links
View PDF of the East Cheshire NHS Trust Undertaking (Breach Watch Archive)

Dr Paul Thomas

What
Loss sensitive of personal data.

How much
“A large number” of records.

Why
The Suffolk Primary Care Trust’s Practice server was found in the Gipping Valley Practice car park by one of the data controller’s employees. The Server held data relating to a large number of patients and staff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the decommissioning process regarding Practice servers and other such devices has been completed successfully in order to ensure the safety of any personal data.

Reason for action
The decommissioning process did not ensure the security of personal data.

When
10 July 2009

Links
View PDF of the Dr Paul Thomas Undertaking (Breach Watch Archive)

Counted4 CIC

What
Loss sensitive of personal data.

How much
84 records.

Why
A filing cabinet containing paper records referring to the personal details of 84 individuals undergoing Drug Rehabilitation Requirements was lost during an office move.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the physical security of personal data be ensured, especially during transit. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
A building contractor was employed to transport a number of cabinets to the new sit and insufficient organisational measures were made to prevent cabinets containing data for transfer from being mixed with obsolete cabinets to be disposed of.

When
9 July 2009

Links
View PDF of the Counted4 CIC Undertaking (Breach Watch Archive)

Phones 4U Ltd

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from a refuse bin outside the Phones 4U premises in Market Way, Coventry, and Regent Street, Swindon. The information included documentation showing customer names and addresses, and bank account details.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all paper waste generated is to be treated as confidential and shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
17 May 2007

Links
View PDF of the Phones 4U Ltd Undertaking (Breach Watch Archive)

Dipesh Limited (Trading as Cash Generator)

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from a refuse bin outside the Cash Generator premises in Bridge Street, Nuneaton, including correspondence showing customer names and addresses.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all paper waste generated is to be treated as confidential and shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
23 April 2007

Links
View PDF of the Dipesh Limited (Trading as Cash Generator) Undertaking (Breach Watch Archive)

Post Office Limited

What
Loss of personal data

How much
250 records.

Why
Items of personal information were recovered from refuse bins used by the London Road Southampton, Rymans franchise branch of the data controller. The information consisted of 65 Firm E111 applications forms, 158 receipts, 12 travel insurance forms, eight daily passport schedules and a money transfer showing the name of seven customers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that data protection procedures are reviewed and updated where necessary to ensure that the correct procedures are in place for the handling and disposal of personal data. Staff must be sufficiently trained in these procedures.

Reason for action
The data controller had established procedures as evidenced by a declaration form (Form P13), but the breach nevertheless occurred and the ICO received complaints from members of the public.

When
26 February 2007

Links

View PDF of the Post Office Limited Undertaking (Breach Watch Archive)

The Royal Bank of Scotland plc

What
Loss of personal data

How much
23 records.

Why
Items of personal data were recovered from refuse bins outside branches in Fareham, Manchester, Nottingham and Glasgow, including documents relating to individual accounts and application forms, a private banking form and a photocopy of a customer’s provisional driving license.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to all relevant staff.

Reason for action
The ICO had received complaints about the data controller’s breach of the Seventh Data Protection Principle.

When
23 February 2007

Links

View PDF of the Royal Bank of Scotland plc Undertaking (Breach Watch Archive)