Tag Archives: Inappropriate Disclosure of Personal Information

Lancashire Teaching Hospitals NHS Foundation Trust

Posted on by

What

Loss of sensitive personal data.

How much

Two records.

Why

Sensitive personal information was mistakenly faxed to a member of the public on several occasions.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the organisations policies regarding the use and storage of sensitive data and its security.

Reason for action

The wrong number was mistakenly inserted into the fax machine.

When

1 July 2011.

Links

View PDF of the Lancashire Teaching Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the Lancashire Teaching Hospitals NHS Foundation Trust Undertaking (Via Breach Watch Archive)

Dunelm Medical Practice

Posted on by

What

Loss of sensitive personal data.

How much

Two records.

Why

Two patient discharge letters were mistakenly sent to an unrelated third party organisation.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that Electronic Discharge letters are only sent by secure email, where possible and that staff are suitably trained.

Reason for action

Records were transmitted by fax and incorrect numbers were used.

When

01 July 2011.

Links

View PDF of the Dunelm Medical Practice Undertaking (Via ICO Website)

View PDF of the Dunelm Medical Practice Undertaking (Breach Watch Archive)

Co-operative Life Planning Limited

Posted on by

What

Inappropriate disclosure of personal data.

How much

“A substantial volume”

Why

An electronic file containing customer data was sent to a software  support supplier, where it was copied onto the supplier’s own servers.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

Reason for action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

When

26 May 2011.

Links

View PDF of the Co-operative Life Planning Limited Undertaking (Via ICO Undertaking)

View PDF of the Co-operative Life Planning Limited Undertaking (Breach Watch Archive)

Somerset County Council

Posted on by

What

Loss of sensitive personal data.

How much

One record.

Why

An employee working on two cases inadvertently enclosed one child’s assessment letter to the other family.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

Reason for action

The incident revealed a lack of sufficient checks and controls in areas of the data controller’s operations dealing with significant amounts of personal data.

When

13 May 2011.

Links

View PDF of the Somerset County Council Undertaking (Via ICO Website)

View PDF of the Somerset County Council Undertaking (Breach Watch Archive)

City of York Council

Posted on by

What

Loss of sensitive personal information.

How much

One record.

Why

The information was erroneously included with documentation sent to an unrelated third party.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that documentation containing personal data is not printed when there is no need to do so.

Reason for action

The information was mistakenly collected from a shared printer by an employee who failed to check that the documentation was only for their case. A lack of quality control prevented this error from being discovered until it was too late.

When

05 April 2011.

Links

View PDF of the City of York Council Undertaking (Via ICO Website)

View PDF of the City of York Council Undertaking (Breach Watch Archive)

Royal Cornwall Hospitals NHS Trust.

Posted on by

What

Inappropriate disclosure of personal information on two separate occasions.

How much

Two records.

Why

The information was sent out in response to a third party Subject Access Request, inappropriately.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made familiar with procedures and policies relating to Subject Access Requests.

Reason for action

Insufficient training combined with a large volume of subject access requests lead to the error.

When

04 April 2011.

Links

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Breach Watch Archive)

Doncaster Metropolitan Borough Council

Posted on by

What

Inappropriate disclosure of personal information.

How much

39 records.

Why

A document containing personal details was provided during court proceedings to the defendant without the appropriate redactions in place.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures for dealing with subject access requests are clearly defined, managed, and checked.

Reason for action

This was the second time such an event had occurred.

When

25 February 2011.

Links

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Breach Watch Archive)

Hertfordshire County Council

Posted on by

Breach details

What Loss of highly sensitive personal information by fax.
How much 47 records.
When 11 June 2010
Why Two faxes were sent to the wrong recipients.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 22 November 2010

Why the regulator acted

Breach of act Faxes sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known The ICOs advice on faxing protocols after the first incident were ignored, but the risk had been made clear.
Likely to cause damage or distress Data relating to vulnerable children.

Links

View PDF of the Hertfordshire County Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Hertfordshire County Council Monetary Penalty Notice (Via ICO Website)

Portsmouth City Council

Posted on by

What

Inappropriate disclosure of personal information.

How much

One record.

Why

Third-party data related to an individual was inappropriately released due to a SAR request.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all individuals dealing with SARS receive sufficient training and guidance.

Reason for action

It transpired that the individual tasked with redacting data for this type of request was neither an employee of the data controller nor acting under process as a data processor. It was also revealed the guidance and checking of these processes was inadequate.

When

19 October 2010

Links

View PDF of the Portsmouth City Council Undertaking (Via ICO Website)

View PDF of the Portsmouth City Council Undertaking (Breach Watch Archive)

Lord Chief Justice of Northern Ireland

Posted on by

What

Inappropriate disclosure of personal information.

How much

One record.

Why

A document containing an individual’s name and address was inadvertently attached to an email and sent to over three hundred individuals.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and are appropriately trained in procedures for distributing emails and adequate checks are carried out.

Reason for action

Although staff had received advice and training on data protection issues in general there was no written guidance or instructions on how to deal with this type of work.

When

19 October 2010

Links

View PDF of the Lord Chief Justice of Northern Ireland Undertaking (Via ICO Website)

View PDF of the Lord Chief Justice of Northern Ireland Undertaking (Breach Watch Archive)