Tag Archives: Loss of Sensitive Personal Data

Warrington and Halton Hospitals NHS Trust

Posted on by

What

Loss of sensitive data.

How much

110 records

Why

Theft of an unencrypted laptop from premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the encryption of portable media devices are checked and upheld.

Reason for action

Despite the data controller having a policy in place to ensure that all such devices were encrypted, this laptop had not been, nor had it been identified as a security risk, despite having no other form of protection.

When

01 April 2011.

Links

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Breach Watch Archive)

Wolverhampton City Council

Posted on by

What

Loss of sensitive personal data.

How much

Unknown.

Why

Personal data belonged to the data controller was dumped in a skip, which was later stolen.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the data controller’s policy on the disposal of confidential waste

Reason for action

The data should never have been disposed of in a skip. The data controller had a written contract with a third party for the disposal of confidential waste, but on this occasion there was confusion as to the confidential nature of the waste.

When

15 March 2011.

Links

View PDF of the Wolverhampton City Council Undertaking (Via ICO Website)

View PDF of the Wolverhampton City Council Undertaking (Breach Watch Archive)

Ms Phillimore, a barrister

Posted on by

What

Loss of sensitive personal information.

How much

“A sizeable quantity”

Why

Theft of two hard copy folders of case files from her car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that appropriate physical security measures are taken to protect physical data – in particular data must not be left outside the chambers overnight.

Reason for action

The data should never have been disposed of in a skip. The data controller had a written contract with a third party for the disposal of confidential waste, but on this occasion there was confusion as to the confidential nature of the waste.

When

23 March 2011.

Links

View PDF of Ms Phillimore’s Undertaking (Via ICO Website)

View PDF of Ms Phillimore’s Undertaking (Breach Watch Archive)

Cambridgeshire County Council

Posted on by

What

Loss of sensitive personal information.

How much

A minimum of six records.

Why

An unencrypted memory stick containing the records was lost by a member of staff.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made fully aware policies related to the encryption of portable media devices.

Reason for action

Employees were issued with encrypted memory sticks, but following a technical difficulty with the encryption function the employee used an unencrypted and unauthorised device.

When

23 February 2011.

Links

View PDF of the Cambridgeshire County Council Undertaking (Via ICO Website)

View PDF of the Cambridgeshire County Council Undertaking (Breach Watch Archive)

Identity and Password Service

Posted on by

What

Loss of sensitive personal information.

How much

21 records.

Why

21 password renewal applications were lost from a particular passport office.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that reasonable steps are taken to ensure the security of data while it is processed.

Reason for action

All those effected were notified and received new passwords without complaint, however the incident demonstrated insufficiently secure processing of personal data

When

21 February 2011.

Links

View PDF of the Isle of Identity and Password Service Undertaking (Via ICO Website)

View PDF of the Isle of Identity and Password Service Undertaking (Breach Watch Archive)

Gwent Police

Posted on by

What

Loss of sensitive personal information.

How much

863 records.

Why

An email containing a spreadsheet intended for 5 police colleagues was accidently forwarded to a website journalist.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The auto-complete function of the email suggested the email address of the journalist and this error was not corrected. Moreover the member of staff was found to have previously displayed a “cavalier” attitude to IT security policies.

When

11 February 2011.

Links

View PDF of the Gwent Police Undertaking (Via ICO Website)

View PDF of the Gwent Police Undertaking (Breach Watch Archive)

Ealing Council

Posted on by

Breach details

What Loss of sensitive personal information.
How much 958 records.
When 2010
Why Theft of two unencrypted laptops (one work-issued, one personal) from a staff member’s home. The employee had been involved in a breach before, but no remedial action was taken. No home working risk assessment undertaken (although this was in policy).

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 08 February 2011

Why the regulator acted

Breach of act Unencrypted tapes were stolen, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known Data controller was aware of the possible consequences of the such an event, since policies were in place requiring home assessment and encryption of laptops. Both these policies were breached.
Likely to cause damage or distress Personal data of clients.

Links

View PDF of the Ealing Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Ealing Council Monetary Penalty Notice (Via ICO Website)

Hounslow Council

Posted on by

Breach details

What Loss of sensitive personal information.
How much 698 records.
When 2010
Why Theft of unencrypted laptop from staff member’s home. There was no written contract in place with Ealing Council who processed the data.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 8 February 2011

Why the regulator acted

Breach of act Theft of unencrypted laptop.
Inappropriate organisational and technical measures.
Known or should have known There were no policies requiring the encryption of laptops and the data processors policies were not monitored, despite the data controller having their own Information Security Policy.
Likely to cause damage or distress Personal information of clients.

Links

View PDF of the Hounslow Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Hounslow Council Monetary Penalty Notice (Via ICO Website)

NHS Blood and Transplant

Posted on by

What

Loss of sensitive personal information.

How much

444,031 records

Why

Organ donation preferences were recorded incorrectly due to a software error.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data must be routinely checked for accuracy.

Reason for action

The software error had been introduced into the system early in 1999 and had not been uncovered in the years that followed due to a lack of data checks.

When

21 January 2011

Links

View PDF of the NHS Blood and Transplant Undertaking (Via ICO Website)

View PDF of the NHS Blood and Transplant Undertaking (Breach Watch Archive)

Stoke-on-Trent City Council

Posted on by

What

Loss of sensitive personal information.

How much

40 records.

Why

An unencrypted memory stick containing social service records for 40 children was found by a member of the public. The memory stick was not password protected either.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

Although there was a legitimate reason for the data to be on a memory stick the one used was not an approved encrypted device.

When

22 November 2010

Links

View PDF of the Stoke-on-Trent City Council Undertaking (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Undertaking (Breach Watch Archive)