Tag Archives: Insufficiently Secure Premises

Enfield Council: Confidential Files Found in Disused Building

Posted on by

What
Loss of sensitive personal data

How much
Unknown.

Why
Confidential social services files were found in an abandoned Enfield town hall currently in use as a film set. The files were labelled “Foster panel minutes” and “Adoption files”, and marked “strictly private and confidential”. They included details of parents turned down for adoption, the phone numbers and addresses of vulnerable people on the service’s register, and financial information.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links
-

Belfast Health and Social Care Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much About 10,000 records.
When May 2010
Why Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 225,000
When 19 June 2012

Why the regulator acted

Breach of act Site was insufficiently secure to prevent intrusion.
Inappropriate organisational and technical measures.
Known or should have known The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.
Likely to cause damage or distress Medical records and financial data of employees.

Links

View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Via ICO Website)

Brighton and Sussex University Hospitals NHS Trust

Posted on by

Breach details

What Loss of sensitive personal information.
How much 79,000 records.
When March 2008
Why Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 325,000
When 1 June 2012

Why the regulator acted

Breach of act Failure to select a data processor able to provide gurantees of technical security – loss of hard drives.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress Medical Data of Patients.

Links

View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Via ICO Website)
View the Brighton and Sussex University Hospitals response to the penalty (external archive)

Pharmacyrepublic Ltd

Posted on by

What

Loss of sensitive personal data.

How much

Approximately 2,000 records.

Why

Theft of a patient medication record system.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate procedures are put in place to ensure that PMR pharmacy data is securely handled prior to any future transfer of pharmacy ownership. All staff must be made aware of the data controller’s procedures for the safe storage and retrieval of personal data.

Reason for action

The PMR system was stolen for the pharmacy while it was undergoing a transfer of ownership. Although the PMR was password protected the data controller had not taken adequate steps to safely retrieve the PMR system and return it to the wholesale company, whom they had been paying a monthly retainer to, prior to the transfer of ownership process.

When

27 Mar 2012

Links

View PDF of the Pharmacyrepublic Ltd Undertaking (Via ICO Website)

View PDF of the Pharmacyrepublic Ltd Undertaking (Breach Watch Archive)

London Borough of Barnet

Posted on by

Breach details

What Loss of sensitive personal information.
How much 15 records.
When 23 April 2011
Why Paper records relating to vulnerable children were stolen from a social worker’s home. Although it was accepted that the paper records needed to be taken home and that there was a policy in place to cover it, it was felt that the policy did not address the risk identified by this security breach.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 15 May 2012

Why the regulator acted

Breach of act Loss of paper records.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitive nature of the data they dealt with and that it was often necessary for paper records to be taken out of the office.
Likely to cause damage or distress Data relating to child exploitation.

Links

View PDF of the London Borough of Barnet Monetary Penalty Notice (Breach Watch Archive)
View PDF of the London Borough of Barnet Monetary Penalty Notice (Via ICO Website)

Community Integrated Care

Posted on by

What

Loss of personal and sensitive personal data.

How much

40 records.

Why

Theft of an unencrypted laptop from a locked ground floor office in the Newcastle area.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile devices including laptops are encrypted to a sufficient standard. Physical security standards must be adequate to prevent unauthorised access to personal data.

Reason for action

The stolen laptop was password protected, but had not been encrypted, However the data controller proposed to improve physical software and implement encryption as a result of the incident.

When

01 March 2012.

Links

View PDF of the Community Integrated Care Undertaking (Via ICO Website)

View PDF of the Community Integrated Care Undertaking (Breach Watch Archive)

Craven District Council

Posted on by

What

Loss of personal data.

How much

2,300 records.

Why

An unencrypted laptop containing a database with child swimming lessons was stolen from a ground level office at a swimming pool.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted. These devices must be secured when not in use.

Reason for action

Despite several security devices and the rapid arrival of police officers the thief was able to remove the laptop and escape, as the laptop was left unsecured on a desk in a position where it could be seen from outside the office.

When

10 February 2012.

Links

View PDF of the Craven District Council Undertaking (Via ICO Website)

View PDF of the Craven District Council Undertaking (Breach Watch Archive)

Manpower UK Ltd

Posted on by

What

Inappropriate disclosure of personal data.

How much

400 records.

Why

A spreadsheet containing 400 people’s personal details was accidentally email to 60 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of policies regarding the transmission of personal data via email, included the need to password protect or encrypt the data according to the sensitivity of the data and the risk to the data subjects.

Reason for action

The employee had initially believed that the spreadsheet contained only the employee numbers of those 60 staff. However the data was transmitted unsecured over the internet and it could not be confirmed that all recipients had deleted the email as requested

When

20 January 2012.

Links

View PDF of the Manpower UK Ltd Undertaking (Via ICO Website)

View PDF of the Manpower UK Ltd Undertaking (Breach Watch Archive)

Central Essex Community Services

Posted on by

What

Loss of sensitive personal data.

How much

249 records.

Why

Loss of a birth book from a locked storage room.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient physical security measures are in place for the storage of paper medical records and compliance with these measures are monitored.

Reason for action

The birth book was supposed to be locked in a filing cabinet in accordance with the data controller’s policy, but it was stored on top of the cabinet due to a lack of storage space.

When

21 November 2011.

Links

View PDF of the Central Essex Community Services Undertaking (Via ICO Website)

View PDF of the Central Essex Community Services Undertaking (Breach Watch Archive)

Holly Park School

Posted on by

What

Loss of sensitive personal data.

How much

Nine records.

Why

Theft of an unencrypted laptop from school premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are encrypted and are kept physically secure.

Reason for action

Although the laptop was kept in a locked filling cabinet the office it was housed in was not locked.

When

05 October 2011.

Links

View PDF of the Holly Park School Undertaking (Via ICO Website)

View PDF of the Holly Park School Undertaking (Breach Watch Archive)