Tag Archives: Loss of Sensitive Personal Data

Asperger’s Children & Carers Together (ACCT)

Posted on by

What

Loss of sensitive personal data

How much

Unknown.

Why

Theft of an unencrypted laptop from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted

Reason for action

The stolen laptop was unencrypted and investigation revealed that the data controller’s policies and procedures did not fully comply with the Act’s requirements.

When

27 May 2011.

Links

View PDF of the Asperger’s Children & Carers Together Undertaking (Via ICO Website)

View PDF of the Asperger’s Children & Carers Together Undertaking (Breach Watch Archive)

Wheelbase Motor Project

Posted on by

What

Loss of sensitive personal data.

How much

50 records.

Why

Theft of an unencrypted portable hard drive.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted.

Reason for action

Although the format of the hard drive would have been incompatible with most desktop systems and the sensitive files were password protected it was ruled that this was insufficient security

When

27 May 2011.

Links

View PDF of the Wheelbase Motor Project Undertaking (Via ICO Website)

View PDF of the Wheelbase Motor Project Undertaking (Breach Watch Archive)

Somerset County Council

Posted on by

What

Loss of sensitive personal data.

How much

One record.

Why

An employee working on two cases inadvertently enclosed one child’s assessment letter to the other family.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.

Reason for action

The incident revealed a lack of sufficient checks and controls in areas of the data controller’s operations dealing with significant amounts of personal data.

When

13 May 2011.

Links

View PDF of the Somerset County Council Undertaking (Via ICO Website)

View PDF of the Somerset County Council Undertaking (Breach Watch Archive)

Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law

Posted on by

Breach details

What Loss of sensitive personal information.
How much 6,000 records.
When 2009 – May 2010
Why Insufficient measures taken to protect spreadsheets containing personal data, which was made available online following a DDOS attack.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 1,000
When 10 May 2011

Why the regulator acted

Breach of act Unencrypted spreadsheets were placed on a torrent site following a denial of service attack. “Home-use” web service used rather than a business package.
Inappropriate organisational and technical measures.
Known or should have known Data controller was fully aware of the sensitive nature of the data he dealt with and that his business was controversial and unpopular with some. The risk of attack was clear, yet he set up his set without professional IT advice.
Likely to cause damage or distress Financial and medical information of many individuals.

Links

View PDF of the Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law Monetary Penalty Notice (Via ICO Website)

NHS Birmingham East and North

Posted on by

What

Sensitive personal information kept insufficiently secure.

How much

“Thousands” of records.

Why

The data controller realised that its own employees could access restricted information relating to patients.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technical security measures are adequate to ensure the security of data.

Reason for action

The data controller brought the matter to the attention of the Data Commissioner. Although this data was only accessible internally it was felt that this displayed inadequate security.

When

20 April 2011.

Links

View PDF of the NHS Birmingham East and North Undertaking (Via ICO Website)

View PDF of the NHS Birmingham East and North Undertaking (Breach Watch Archive)

Norwich City College of Further and Higher Education

Posted on by

What

Loss of sensitive personal information on two occasions.

How much

80 records.

Why

Hard copy records were disposed of inappropriately and insecurely.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

The records were disposed of in standard black bin liners and were thrown into a skip on college grounds by cleaning staff, the same as any other waste.

When

19 April 2011.

Links

View PDF of the Norwich City College of Further and Higher Education Undertaking (Via ICO Website)

View PDF of the Norwich City College of Further and Higher Education Undertaking (Breach Watch Archive)

Borough of Poole

Posted on by

What

Loss on sensitive personal information on three occasions.

How much

Three records

Why

Faxes containing  personal information were erroneously sent to the wrong number.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are sufficiently training in both the usage of and policies relating to the transmission of data via, fax machines.

Reason for action

Insufficiently clear instructions and training was provided to staff.

When

19 April 2011.

Links

View PDF of the Borough of Poole Undertaking (Via ICO Website)

View PDF of the Borough of Poole Undertaking (Breach Watch Archive)

University College London Hospitals NHS Foundation Trust

Posted on by

What

Loss of sensitive personal data.

How much

750 records.

Why

Loss of an unencrypted memory stick.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are sufficiently encrypted and that staff are trained in the transportation of such data.

Reason for action

Sensitive personal information should never have been transported off site in an unencrypted media device.

When

15 April 2011.

Links

View PDF of the University College London Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the University College London Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

Council for Healthcare Regulatory Excellence

Posted on by

What

Possible loss of sensitive personal information.

How much

Three records

Why

Discovery that some hard copy files relating to cases could not be accounted for.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all correspondence regarding personal data is adequately protected and a permanent system for the logging of data is put into place.

Reason for action

It was impossible, due to insufficient data tracking, to be sure if the data had ever been received by the data controller, let alone lost.

When

15 April 2011.

Links

View PDF of the Council for Healthcare Regulatory Excellence Undertaking (Via ICO Website)

View PDF of the Council for Healthcare Regulatory Excellence Undertaking (Breach Watch Archive)

NHS Liverpool Community Health

Posted on by

What

Loss of sensitive personal information.

How much

31 records

Why

Files were transported in uncollected crates by a removal company which the data controller did not have a contract with.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that written contracts are used whenever third parties might have access to sensitive data and that clear and precise policies will be put into place for how to transport data while moving offices .

Reason for action

Contradictory instructions given to staff members by the removal company lead to confusion as to how the data could be transported, leading to errors made due to short notice.

When

11 April 2011.

Links

View PDF of the NHS Liverpool Community Health Undertaking (Via ICO Undertaking)

View PDF of the NHS Liverpool Community Health Undertaking (Breach Watch Archive)