Ministry of Justice

Breach details

What An unencrypted, non-password protected, portable hard drive stored in a prison’s Security Department and used to back up the prisoner intelligence database, was lost. This followed a virtually identical breach in 2011.
How much 16,000 records and 2,935 records.
When October 2011 and 24 May 2013.
Why The hard drive had last been used on 18 May 2013 for the weekly back up, but had not been locked up afterwards in a fireproof safe, as required. Following the previous breach in 2011 remedial action had been taken including the distribution of encrypted hard drives to 75 prisons that had previously been using unencrypted portable hard drives. However it was not realised that the encryption software on these new drives required manual activation. As a result prisoner intelligence information was being held on portable unencrypted devices in 75 prisons for a period of at least 12 months.

Regulatory action

Regulator ICO
Action Monetary penalty of £180,000
When 26 August 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: The Ministry failed to take appropriate technical measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as taking steps to ensure that the portable hard drives that were used to back up the prisoner intelligence database in 75 prisons had actually been encrypted.
Known or should have known The Ministry was aware that prisons across the entire estate were backing up this information on a weekly basis pending the implementation of a new intelligence system. As a result of a virtually identical security breach in October 2011, the data controller was also aware that the portable hard drives used to back up this intelligence information in 75 prisons were unencrypted. As it was routine to handle sensitive personal data relating to prisoners it should have been obvious that such a contravention would be of a kind likely to cause substantial damage and/or substantial distress to the data subjects
Likely to cause damage or distress This scale of the breach posed a significant risk of causing serious detriment to thousands of prisoners in England and Wales. The data subjects would be likely to suffer from substantial distress knowing that their confidential and sensitive personal data may be accessed by unauthorised third parties, aggravated by the fact that the hard drive has still not been recovered. If the data has in fact been accessed by untrustworthy third parties then it is likely that the contravention would cause further distress and substantial damage.

Kent Police

Breach details

What Highly sensitive and confidential information, including copies of police interview tapes, were left in the basement of a former police station, which had been sold in September 2012. This was discovered after a police officer visited some business premises on an entirely separate matter, and noticed a box of videotapes with the logo and name of Kent Police. The owner confirmed that he had found the videotapes and was intending to view the contents of the videotapes as a possible source of entertainment
How much Numerous records dating as far back as the late 1980s.
When 28 November 2012.
Why In the absence of any specific policies or procedures, it was unclear who was ultimately responsible for ensuring that the former police station was vacant at the point of sale. This lack of documented procedures was made worse by a failures in communication between the different departments involved in the extended process of decommissioning the building.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000
When 19 March 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Kent Police failed to take appropriate organisational measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as having specific procedures in place to ensure that the basement of the former police station had been cleared of all items before it was sold to a buyer.
Known or should have known  The data controller was used to dealing with such information and had taken some steps to safeguard the information by carrying out inspections of the former police station, even though the steps taken proved to be inadequate.
Likely to cause damage or distress The failure to take appropriate organisational measures was likely to cause substantial distress to the data subjects even if this is simply by knowing that their confidential and sensitive personal data could have been accessed by the buyer who had no right to see that information. Furthermore there was a risk that the  data may be further disseminated, such as to the media, or used for other purposes by the buyer, with the potential to cause substantial damage to witnesses and informants, such as by putting them at risk of physical harm.

Department of Justice Northern Ireland

Breach details

What A locked filing cabinet containing sensitive personal data relating to claims arising from terrorist incidents in Northern Ireland was sold at auction.
How much Not specified – four-drawer filing cabinet.
When 12 May 2012
Why In the course of an office move the filing cabinet was sent to auction for disposal. Despite it being locked (and the weight of the cabinet must have indicated that it wasn’t empty) the Data Controller simply ignored the fact that there may have been personal data in the filing cabinet and set it to auction. When the purchaser of the cabinet forced the lock they realised the sensitivity of the information and called the police to take the information away.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 185,000.
When 14 Jan 2014.

Why the regulator acted

Breach of act Breach of the seventh data protection principle. The Commissioner argued that the Data Controller should have had “detailed procedures in place for the removal of cupboards, pedestals and filing cabinets etc. from one office location to another”.
Known or should have known Given the sensitive political nature of the contents of the cabinet, and the fact that the cabinet was kept locked, the Data Controller should have known that the unauthorised release of the information was likely to case “substantial distress”.
Likely to cause damage or distress The Commissioner states that substantial distress was not actually caused in this case, but argues that had the buyer of the cabinet not contacted the police to remove the data, substantial distress would have occurred.

North East Lincolnshire Council

Breach details

What Loss of an unencrypted USB stick containing personal and sensitive data relating to children with special educational needs including names, DOB and reports on mental and physical disabilities.
How much 286 records.
When 01 July 2011.
Why A special educational needs teacher working for the Special Educational Needs Support Service forgot to remove an unencrypted USB stick containing reports on 286 children from a laptop in the Council’s offices on leaving the office at the end of the day on 01 July. When the teacher tried to retrieve the USB stick they discovered it was gone and it has not been recovered to date. The USB stick had been issued in 2005 in order for the teacher to access neccessary data on their visits to schools and community locations that they performed during the majority of their time. An information security policy which had been in draft since 2009 was introduced in March 2011, four months prior to the incident, and specified that removable media such as USB sticks “must be encrypted”. However, unencrypted USB devices were not recalled until immediately after the incident and staff could only encrypt their devices through volunteer initiatives such as a ‘removable media pilot’ and an ‘encryption on request’ service. The member of staff in question had confirmed that they read and understood the new policy in June and had possibly received Data Protection Act e-learning training, but the training was non mandatory and cannot be confirmed.

Regulatory action

Regulator ICO
Action Monetary penalty of £80,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: appropriate measures were not taken to prevent the loss of personal data. In particular there was a lack of training on the importance of using encrypted devices, no technical controls restricting downloads, and no effective policies and controls in place.
Known or should have known Staff were used to dealing with sensitive personal information on a daily basis and had routinely stored this data on unencrypted USB sticks since at least 2005. The risks of using unencrypted USB sticks was identified in 2009 but not forbidden until 2011, and even then the Council continued to allow staff to use unencrypted devices in breach of its own policy. Although there was an encryption service available from this point it was voluntary and efforts to raise awareness were inadequate.
Likely to cause damage or distress The children and families concerned would suffer substantial distress knowing that their sensitive data may have been disclosed to third parties or could be in future, even though it appears that the data has not been disclosed thus far. If the data is accessed by untrustworthy third parties it could expose the children to damage to their health, education and personal relationships.

Panasonic UK

Breach details

What Theft of an unencrypted laptop containing personal data including names, passport details, addresses and contact details.
How much 970 records.
When 08 August 2012.
Why An unencrypted, unsecured laptop containing the details of 970 individuals who had attended hospitality events organised by Panasonic UK was stolen from an unlocked hotel room. These events were being run by a third party company on behalf of Panasonic, and Panasonic’s comprehensive data protection policies that would have prevented this breach were therefore not automatically applied. However, it appears that these policies were not communicated to the company and the data protection provisions listed in the contract were extremely limited. Moreover, passport information was collected from all guests and then retained regardless of whether this information was necessary.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When Unknown.
Details Panasonic UK is to ensure that all third party company data controllers are governed by adequate contracts and checks to ensure that they are complying with data protection policies. Panasonic are also to ensure that personal data is only collected for a specified, valid purpose and is not retained for longer than is necessary. Other security measures should be implemented as appropriate.

Hillingdon Hospitals NHS Foundation Trust

Breach details

What Cancer referral forms containing sensitive clinical data found in the possession of a local newspaper.
How much Four records.
When Reported on 05 July 2012.
Why The cancer referral forms were prepared for transfer between The Hillingdon Hospital and Mount Vernon Hospital but failed to arrive through the internal mail system. Staff were aware the documents had not arrived but did not escalate the incident. It is unclear at what point the documents left the possession of the Trust and how they were acquired by the newspaper.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 07 October 2013.
Details The Trust is to implement breach reporting mechanisms and manage an escalation process if personal data does not arrive at its destination. Staff are to be made aware of all procedures and requirements.

Cardiff and Vale University Health Board

Breach details

What Loss of a bag containing sensitive personal data including a mental health act tribunal report, a solicitor’s letter, and five CV’s.
How much Documents relating to at least seven individuals.
When 26 November 2012.
Why A consultant psychiatrist lost their bag containing these documents when cycling home from the office. The documents were necessary for the consultant to work outside of the office environment, but although other more secure means of transporting the data or remote server access were available they were not communicated clearly to staff. The individual also did not receive induction training (including on data protection) until after the incident had occurred.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 04 October 2013.
Details The Health Board is to immediately implement a security policy concerning the removal and security of data off site and provide training to all staff in how to follow it, as well as mandatory training on data protection. Assessments are also to be made on the suitability of an individual working from home and appropriate arrangements made. Finally, a protective marking scheme is to be introduced.

Jala Transport Limited

Breach details

What Theft of an unencrypted hard drive containing sensitive personal data, including proofs of address and proofs of identity.
How much 250 records.
When 3 August 2012.
Why A briefcase containing an unencrypted hard drive, some documents and approximately £3,600 in case was stolen from the proprietor’s car when it was stuck in traffic. The external hard drive, as the only copy of the company’s customer database, was taken home each day to prevent theft and was protected by an 11-character password. It has not been recovered.

Regulatory action

Regulator ICO
Action Monetary penalty of £5,000.
When 24 September 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the company failed to take appropriate measures against the accidental loss or theft of personal data.
Known or should have known The company was used to dealing with large amounts of personal data on a daily basis and had taken some steps to protect it by having it password protected and taking it home overnight. However, the Commissioner’s office published guidance notes in 2007 promising enforcement action against companies suffering thefts of unencrypted data from vehicles, dwellings or inappropriate places. The company should have encrypted the data and transported it in a more secure way, such as in the boot of the car.
Likely to cause damage or distress The disclosure of personal information of the data subjects to unauthorised third parties is likely to cause them substantial distress, particularly as the hard drive has not been recovered. There is also the risk of identity fraud or financial loss.

Local Government Ombudsman (the LGO)

Breach details

What A bag containing an encrypted portable media device and hard copy papers relating to planning application complaints. This included sensitive personal information relating to one of the complainant’s physical or mental health.
How much 8 complaints.
When Unknown.
Why A bag containing sensitive personal information was stolen from one of Ombudsman’s investigators at a public house. There was a specific reason for the papers to be taken out of the office and a policy on security on information while in transport existed, but staff were unaware of the policies due to a lack of training.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 22 August 2013
Details The company shall provide mandatory annual training to all staff whose role includes the routine processing of personal information. The company shall also ensure that all staff are aware of its policies relating to personal information and are updated of any changes to these policies.

Islington Borough Council

Breach details

What Spreadsheets containing sensitive personal data in a ‘hidden’ workbook were uploaded on three occasions to the WhatDoTheyKnow.com FOIA website in response to an FOIA request. The data included details on housing applicants’ sexuality, ethnicity, domestic violence and criminal offending.
How much 2,375 records.
When 26 June 2012
Why Spreadsheets prepared by one department providing a response to an FOIA request used pivot tables to provide the summary information requested, however the published spreadsheets also contained the raw source data in hidden worksheets within the same spreadsheet. The request originated via the WhatDoTheyKnow website which automatically publishes all FOIA responses to the web, making them publicly available .

Regulatory action

Regulator ICO
Action Monetary Penalty notice of £70,000
When 20 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council did not have processes in place to ensure that personal information was not published in response to an FOIA request and failed to provide adequate training for the staff dealing with FOIA responses (such as how to check for hidden data within Excel).
Known or should have known The Council should have known that in the absence of a robust checking policy, personal data may be exposed in response to an FOIA request.
Likely to cause damage or distress The disclosure of sensitive personal information of the data subjects would cause them substantial distress, particularly as it is known that the information had been downloaded by unknown third parties seven times. The Council is facing separate legal action from a number of the data subjects. The Commissioner also noted that there is a risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

If the ICO considered an MPN appropriate, then a penalty of £70,000 for the repeated release of 2,375 items of sensitive personal data to a public website seems good value for the Data Controller. However the basis for the ICO’s assertion that the Council ‘knew or should have known’ appears to be weak.