Tag Archives: Lack of Policy

Isle of Anglesey County Council

Posted on by

Breach details

What Loss of personal data and in one case loss of sensitive personal data.
How much Unknown
When Several incidents in early 2012
Why Documents containing personal data were inappropriately disclosed or disposed of, or put at risk of unauthorised access. The council had an out of date data protection policy, and provided insufficient data protection training.

BW Comments

The undertaking is very vague, and doesn’t provide specific details of what happened to cause the data losses, or why.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 20 December 2012
Details The data conroller is to ensure that all policies and procedures are up to date and in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

BW Observations

It is almost as if the council, as part of its self-reporting, suggested the necessary remedial action.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)
View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)

Torbay Care Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much 1,373 records.
When April 2011
Why Sensitive personal information relating to 1,373 employees was published on the Trust’s website in an excel spreadsheet intended to display equality and diversity metrics. This information was publicly available for over 19 weeks.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000
When 6 August 2012

Why the regulator acted

Breach of act Staff received no guidance as to what information should not be published. No checking processes were in place to prevent excessive information being published.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees and should have recognised the potential for human error when uploading data to its website in the absence of appropriate security measures.
Likely to cause damage or distress Financial and Medical data. May have been accessed by untrustworthy third parties.

Links

View PDF of the Torbay Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Torbay Care Trust Monetary Penalty Notice (Via ICO Website)

Marston Properties

Posted on by

What
Loss of personal data

How much
37 records.

Why
37 staff members’ details were lost when the filing cabinet the information was stored in was sent to a recycling centre and crushed.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

Reason for action
The data controller had established procedures, but did not have a specific written information handling policy in place and employees had not received formal data protection training.

When
6 August 2012

Links
View PDF of the Marston Properties Undertaking (Via ICO Website)

View PDF of the Marston Properties Undertaking (Breach Watch Archive)

The Lancaster Constabulary

Posted on by

Breach details

What Loss of sensitive personal data.
How much “Several” records.
When 17 July 2011
Why xxx.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that hard copy documentation contains the minimum amount of personal data necessary and is only taken out of the station when absolutely necessary. A written policy detailing these responsibilities must be produced and staff must be trained in these policies.
When 14 March 2012

Why the regulator acted

Breach of act Report lost and printed in a newspaper. Inappropriate organisational and technical measures.
Known or should have known Policies in place marked such data as highly sensitive, but no policies were in place to cover security outside of the station.
Likely to cause damage or distress Report related to vulnerable children and sex crimes.

Links

View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Breach Watch Archive)
View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Via ICO Website)
View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Breach Watch Archive)
View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Via ICO Website)

Enable Scotland (Leading the Way)

Posted on by

What

Loss of sensitive personal data.

How much

101 records.

Why

Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.

Reason for action

The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.

When

09 March 2012.

Links

View PDF of the Enable Scotland (Leading the Way) Undertaking (Via ICO Website)

View PDF of the Enable Scotland (Leading the Way) Undertaking (Breach Watch Archive)

London Borough of Croydon

Posted on by

What

Loss of sensitive personal data.

How much

Unknown.

Why

A bag belonging to a social worker employed in the Council’s Children and Young Peoples’ Department was stolen from a public house in London. The bag contained a hard copy file of papers concerning a child in the care of the council.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will draft and implement a formal policy covering the storage, physical security, transportation, use and disposal of personal data outside of the office environment. Compliance with this policy must be monitored.

Reason for action

The Information Commissioner concluded that an apparent lack of effective controls and procedures for taking information out of the office was a major contributor to the loss of highly personal data. It was also felt that further staff trained was needed.

When

01 March 2012.

Links

View PDF of the London Borough of Croydon Undertaking (Via ICO Website)

View PDF of the London Borough of Croydon Undertaking (Breachwatch Archive)

Chartered Institute of Public Relations

Posted on by

What

Loss of sensitive personal data.

How much

30 records.

Why

30 Membership forms were lost on a train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a document is created that clearly outlines all employees’ responsibilities in terms of the storage, transmission, use and disposal of personal data. All necessary amendments must be made by 31 January 2012

Reason for action

The organisation did not have a written policy in place for handling personal data outside of the office at the time of incident.

When

18 January 2012.

Links

View PDF of the Chartered Institute of Public Relations Undertaking (Via ICO Website)

View PDF of the Chartered Institute of Public Relations Undertaking (Breach Watch Archive)

Orbit Heart of England Housing Association

Posted on by

What
Loss of sensitive personal data.

How much
1,000 records.

Why
57 paper files went missing at the time of an office move, although 42 of them had been recovered intact.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all staff are made aware of and, trained to follow, the data controller’s new procedures with regards to office moves.

Reason for action
Investigations revealed that no inventory of files had been made prior to the move, so staff were initially uncertain as to how many files should have been received at the new office and that many of the files had not be unpacked after 6 months.

When
30 November 2009

Links
View PDF of the Orbit Heart of England Housing Association Undertaking (Breach Watch Archive)

Mid Staffordshire NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
About three records.

Why
A member of the trust’s HR department saved a “Statement of Case” on a home computer in contravention of trust policy.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are adequate to prevent unauthorised access to personal data. The policy covering the storage and use of personal data must be followed by staff, especially when working from home. Trust policies must be amended to include explicit reference to staff data in terms of protecting personal information. Portable media devices must be suitably encrypted.

Reason for action
The information on the computer had not been password protected or encrypted. The Trust initially failed to demonstrate appropriate urgency in the securing of the data concerned.

When
2 October 2009

Links
View PDF of the Mid Staffordshire NHS Foundation Trust Undertaking (Breach Watch Archive)

Billing Pharmacy Limited

Posted on by

What
Loss of sensitive personal data.

How much
About 1,000 records.

Why
An unencrypted computer containing the personal data of around 1,000 patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices and computers used to store or transport personal data are suitably encrypted. A data protection policy must be drafted and all staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.

Reason for action
It was not possible to notify the patients affected by the theft as the data on the computer was not separately backed up. Further enquiries revealed that the data controller did not have in place appropriate policies and procedures with regards to data protection matters.

When
8 September 2009

Links
View PDF of the Billing Pharmacy Limited Undertaking (Breach Watch Archive)