London Borough of Sutton

What
Loss of sensitive personal data.

How much
About 119 records.

Why
Numerous Incidents:

  • A paper file containing personal data relating to 73 individuals receiving social care went missing from an office.
  • A document package relating to childcare proceedings was left with the neighbour of an intended recipient and subsequently went missing.
  • An unencrypted laptop containing personal data to 9 children was stolen from a locked cupboard on a children’s hospital ward.
  • An unencrypted laptop containg social care data relating to 39 individuals was stolen from the home of an employee of the data controller.
  • 9 administration computers used to access dara in the data controller’s network were stolen, but some files may have been downloaded onto the computer’s hard drives in breach of policy.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Measures must be taken to ensure the physical security of all such devices containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The various breaches demonstration a lack of security, both physical and technical. The sheer amount of breaches betrayed an overall organisational weakness.

When
29 July 2009

Links
View PDF of the London Borough of Sutton Undertaking (Breach Watch Archive)

London Clubs International Limited

What
Loss of personal data.

How much
26,000 records.

Why
An unencrypted laptop was stolen from the data controller’s premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. The physical security of such devices must be ensured.

Reason for action
The laptop was password protected, but not encrypted.

When
10 July 2009

Links
View PDF of the London Clubs International Limited Undertaking (Breach Watch Archive)

Oldham Council

What
Loss of sensitive personal data.

How much
220 records.

Why
13 unencrypted laptops were stolen during a burglary at secure council offices, with the exception of one stolen from a staff members car and another that was stolen during the course of a youth activity evening.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
Three of these unencrypted laptops held sensitive personal data and the council did not take adequate steps to safeguard the data, either through encryption, or better physical security in respect of the two laptops stolen outside of council property.

When
7 July 2009

Links
View PDF of the Oldham Council Undertaking (Breach Watch Archive)

Hampshire Partnership NHS Trust

What
Loss of personal data.

How much
607 records.

Why
An unencrypted laptop containing personal data relating to staff and patients was stolen from an employee’s hotel room.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it. Compliance with these policies must be monitored.

Reason for action
The laptop was unencrypted and stolen from the employee while he was attending a conference.

When
26 June 2009

Links
View PDF of the Hampshire Partnership NHS Trust Undertaking (Breach Watch Archive)

Manchester City Council

What
Loss of personal data.

How much
1,754 records.

Why
Two unencrypted laptops were stolen from the internal audit offices in the Town Hall.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to ensure that laptops are safely stored and encrypted. Only personal data absolutely necessary for audit purposes may be downloaded to mobile devices  All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The laptops were not encrypted, password protected, or secured to immovable objects, in breach of a number of the data controllers’s internal policies and procedures, in which all staff had received training.

When
16 June 2009

Links
View PDF of the Manchester City Council Undertaking (Breach Watch Archive)

Surrey and Sussex Healthcare NHS Trust

What
Loss of sensitive personal data.

How much
103 records.

Why
A ward hand over sheet was lost and two unencrypted laptops were stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The hand over sheet was later located on a bus. The laptops were protected by three locked doors, but the investigation revealed that staff had poor knowledge of the requirement to store data relating to trust business on secure network drives.

When
3 June 2009

Links
View PDF of the Surrey and Sussex Healthcare NHS Trust Undertaking (Breach Watch Archive)

The Highland Council

What
Loss of sensitive personal data.

How much
1,400 records.

Why
Two unencrypted laptops were stolen from a locked office on the data controller’s premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to ensure that laptops are safely stored and encrypted.

Reason for action
The laptops were not encrypted and no additional physical security measures were in place beyond being placed in a locked office.

When
2 June 2009

Links
View PDF of the Highland Council Undertaking (Breach Watch Archive)

Salford Royal NHS Foundation Trust

What
Loss of sensitive personal data.

How much
3,500 records.

Why
An unencrypted desktop computer containing personal data was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. Any data held on portable media must be encrypted and only held for as long as absolutely necessary. Mandatory induction data protection training must to given to all staff.

Reason for action
The desktop computer was not secured to the desk or encrypted. Initially the incident was treated only as a loss of equipment, resulting in a delay of over one month in reporting and investigating the loss of personal data.

When
22 May 2009

Links
View PDF of the Salford Royal NHS Foundation Trust Undertaking (Breach Watch Archive)

Hull and East Yorkshire Hospitals NHS Trust

What
Loss of sensitive personal data.

How much
About 2,300 records.

Why
In the first incident an unencrypted desktop PC containing personal data relating to about 300 patients was lost during refurbishment. On the second occasion a disused unencrypted laptop containing personal relating to 2,000 patients from prior to January 2007, was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. Personal data must not be held on any media for any longer than needed. All staff must receive adequate data protection training and be reminded of internal policies regularly.

Reason for action
The data controller did had in place policies and procedures relating to data security and the storage and transfer of equipment and data, which were not followed in either instance.

When
7 April 2009

Links
View PDF of the Hull and East Yorkshire Hospitals NHS Trust Undertaking (Breach Watch Archive)

2gether NHS Foundation Trust

What
Loss of sensitive personal data.

How much
56 records.

Why
Four desktop computers, one laptop and a memory stick  containing sensitive personal data relating to patients were stolen from a locked room in the Trust’s building.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented  All staff must receive adequate data protection training.

Reason for action
The laptop and memory stick were not encrypted, or locked away out of site, contrary to Trust policy.

When
24 March 2009

Links
View PDF of the 2gether NHS Foundation Trust Undertaking (Breach Watch Archive)