British Pregnancy Advice Service

Breach details

What A hacker threatened to post the names and call back details of everyone who had submitted their contact details to the BPAS website.
How much 9,900 records.
When 08 March 2012.
Why The BPAS website was originally developed in 2007 and was to include an online ‘appointment booking service’. This was then scrapped due to security concerns, and BPAS mistakenly assumed that no call back data would be retained on the CMS. In 2008 another IT company was asked to host the website, but as BPAS was unaware that it was processing the call back data they did not ensure that administrative passwords were stored securely. BPAS also failed to carry out appropriate security testing so continued to remain ignorant of the website’s vulnerabilities. These vulnerabilities enabled an attacker to access the CMS and deface the website, threatening to publish the names of those whose call back details were held on the website. Fortunately, these were not published as the attacker was arrested the following day and the information was recovered following an injunction.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 07 March 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: BPAS failed to take appropriate measures against the unauthorised processing of personal data as they didn’t delineate specific parameters to ensure the website did not store personal data, nor set up appropriate security measures.
Known or should have known BPAS clearly knew that personal data of this nature needed to be held securely as they decided not to put in place their original ‘appointment booking system’ and provided promises of security in their privacy policy. They should have been able to prevent the contravention by having a detailed specification of the parameters of the CMS to either ensure that data was not stored on the website or provide adequate security for this information.
Likely to cause damage or distress The website’s privacy policy led users to believe that their information would remain secure and confidential, and the ability of a hacker to access this information is likely to cause substantial distress if this was known, particularly with the fear that this data could be further disseminated. If the data had been misused by the attacker or disclosed to untrustworthy third parties there is a risk that some individuals would have faced physical harm or even death given their ethnicity or social background and the nature of the advice they were seeking (including abortion and sterilisation).

Great Ormond Street Hospital for Children NHS Foundation Trust

Breach details

What Letters containing medical information were sent to the wrong address.
How much 4 records.
When A period of 18 months up to November 2013.
Why Letters were sent out by temporary or bank staff who had not received relevant data protection training as such training was not required for temporary members of staff. Permanent staff were also not obliged to attend training as it was not enforced. In addition to this there were no policies or procedures in place to ensure the accuracy of addresses.

Regulatory action

ActionUndertaking to comply with the seventh data protection principle.

Regulator ICO
When 21 November 2013.
Details Temporary or bank staff must be provided with data protection training before working with personal and sensitive personal data and all training is to be monitored and attendance enforced. Processes are also to be put in place to ensure documents are sent to the right address and practical guidance is to be communicated to all staff.

Luton Borough Council

Breach details

What Personal data including information on the health and ethnicity of the data subjects.
How much Two cases.
When December 2012 and January 2013.
Why Two separate incidents involved incorrect handling of personal data by social work staff. In the first case an email containing personal information about a family was sent across an unsecured internet connection and also sent to an agency unconnected to the family. In the second case papers were lost in an accident when a member of staff took them home when leaving work early due to severe weather.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 11 September 2013.
Details Staff are to be trained in how to follow the Council’s procedures for the storage and use of personal data by 30 November 2013. Training is also required before staff are granted access to the Council’s sytems and should be refreshed within two years. In addition to training new procedures covering such issues as the transporting of personal data outside of the office must be drafted by 30 November.

Aberdeen City Council

Breach details

What Four documents containing sensitive personal information were accidentally uploaded to the internet by a member of staff working from home. The data includes names and addresses, dates of birth, details of alleged criminal offences, and information about Social Care cases concerning children.
How much Four documents totalling 39 pages.
When 8 November 2011 to 18 February 2012.
Why A Council employee inadvertently downloaded four sensitive documents onto her PC when accessing them from home (either by email or by USB) between 8 November and 12 November 2011. These were then uploaded to a website by an auto-upload program pre-installed on the computer thereby making the data available to the public. The documents were discovered on 15th February 2012 and were removed (along with all cached versions) within four hours. However, on 18th February a national newspaper published a story on this incident although personal data was not included after a discussion with the Council.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000.
When 27 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council failed to introduce a secure home working policy or provide the training and equipment to make the home a secure place to work.
Known or should have known The Council was clearly aware that there were inherent risks with staff accessing sensitive personal data at home as it had an acceptable use policy. However, the Council did not supply the necessary equipment to make homes secure places to work from.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. The data is particularly sensitive as it identifies vulnerable individuals.There is also the risk that the information may have been further disseminated and misused.

Hertfordshire Constabulary

Breach details

What Breach of the First and Third Data Protection Principles and the European Convention on Human Rights.
Personal data in the form of vehicle numberplates.
How much An unknown number of records.
When Unknown.
Why Currently all vehicles entering and leaving Royston have their numberplates recorded by ANPR cameras. Although this data can only be accessed in limited circumstances the Commissioner is concerned it could be used for other purposes, and there is a risk of its unauthorised or unlawful access.

Regulatory action

Regulator ICO
Action Enforcement Notice Issued to Hertfordshire Constabulary.
When 15 July 2013.
Details Enforcement notice issued to ensure that within 90 days the personal data recorded by the ANPR cameras will no longer be processed without a Privacy Impact Assessment.

Bank of Scotland

Breach details

What Personal information including national insurance numbers, bank details, and photocopies of passports and driving licenses was faxed to a number of incorrect recipients.
How much An unknown number of records.
When February 2009 to February 2013.
Why During this four year period a number of faxes containing personal information were sent to incorrect recipients rather than the bank’s certal processing systems. These breaches occurred on different faxes in different locations, and were made by a large number of staff from different branches. This was due to misdialling and in particular the transposition of the numbers 2 and 8. Although the employees concerned were given training on this issue and a communication was sent alerting all members of staff to the issue of misdialling, this particular error was not raised.

BW Comments

The ICO has on many occasions indicated his dislike of faxing, especially if the errors occurred because of manual misdialling which could be rectified by only allowing pre-programmed numbers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 75,000.
When 30 July 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the bank failed to provide adequate training or to find a more secure means for the transmission of personal information.
Known or should have known The bank was aware that there were risks associated with sending information by fax as it had procedures in place to regulate this and instituted some training on the discovery of the first breach. However, the continuation of these breaches is testimony to the inefficacy of the taken measures.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. It also carries the risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

This is the third breach where a regulated firm where the FCA (FSA) has not taken action and has let the ICO take the lead in respect of a breach of personal data.

Prudential Assurance Company

Breach details

What Data integrity – two customers’ records were merged incorrectly.
How much 2 records.
When March 2007 until 24 September 2010
Why Insufficient steps taken to ensure the accuracy of data once the problem had been reported by both customers.

BW Comments

The breach of the fourth principle was not in respect of the original erroneous merge, but that the Data Controller failed to rectify the problem.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 50,000
When 6 November 2012

Why the regulator acted

Breach of act Breach of the fourth data protection principle – customers’ data must be accurate and kept up to date. Despite repeated notification from both customers, the Prudential failed to adequately investigate of rectify the problem.
Known or should have known The ICO’s view was that Prudential, as “a large company in the financial services sector with approximately six million customers” should have been aware that some customers could share the same name and so should have had processes in place to investigate and rectify such an occurrence when this was reported by a customer.
Likely to cause damage or distress The ICO’s view is that disclosure of financial information to a third party with “no right” to see the information was likely to cause “substantial distress”. Actual damage temporarily occurred in that tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account and was moved away from the Prudential (although all funds have since been recovered, and compensation paid).

BW Observations

The first MPN in respect of a breach of the fourth principle. Although the ICO’s reasoning in respect of the degree of damage or distress is debateable, what is interesting is the Commissioner’s reasoning in respect of the s55A(3) ‘known or should have known’ test. The ICO’s argument is not that the Prudential should have had sufficient data integrity controls in place to prevent the problem occurring, but given such an error was probable in a company with six million customers, that there should have been robust procedures in place to properly investigate the customers’ complaints and rectify the situation.

Organisations should consider whether they have the necessary training and systems in place to recognise that what might appear as a simple change of address problem in a front-line system to be identified and investigated as a potential breach of integrity.

First Response Finance Ltd

What
Loss of personal data.

How much
One record.

Why
The data controller was attempting to establish the current employment of an individual, for the purpose of an application to the Court for an Attachment of Earnings order. The fax which was brought to a District Judge’s attention contained questions asking for personal data which were irrelevant and execisve for the purpose.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that personal data is processed in accordance with the Act and in particular the First and Third Principles.

Reason for action
The data controller was asking for personal data without any necessity to do so.

When
11 May 2009

Links
View PDF of the First Response Finance Ltd Undertaking (Breach Watch Archive)