Tag Archives: Loss of Sensitive Personal Data

North West London Hospitals NHS Trust

Posted on by

What

Loss of sensitive personal information .

How much

56 records.

Why

A computer printout containing patient information was left in a general folder used for auditing that was accidently left on a tube train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that psuedonymisation techniques are used where individual identification of patients is needed for audit work.

Reason for action

Although much audit work is carried out at home there was no need for this computer print out to contain the genuine identities of patients.

When

14 October 2010

Links

View PDF of the North West London Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the North West London Hospitals NHS Trust Undertaking (Breach Watch Archive)

Forth Valley NHS Board

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

An unencrypted and non-password protected memory stick containing sensitive personal data was handing in to a newspaper.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any board issued portable media devices are sufficiently encrypted and that sufficient physical security measures are taken.

Reason for action

It was unclear how the memory stick ended up in the possession of the Newspaper, but it was unencrypted and not password protected.

When

30 September 2010

Links

View PDF of the Forth Valley NHS Board Undertaking (Via ICO Website)

View PDF of the Forth Valley NHS Board Undertaking (Breach Watch Archive)

East & North Hertfordshire NHS Trust

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller’s policy for the use of portable media and storage and use of personal media is clarified and all staff are made aware of its provisions .

Reason for action

The unencrypted USB stick had not been issued by the data controller.

When

20 September 2010

Links

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Via ICO Website)

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Breach Watch Archive)

Royal Wolverhampton Hospitals NHS Trust

Posted on by

What

Loss sensitive of personal information.

How much

112 records.

Why

An unencrypted CD containing scans of patients’ records was found at a nearby bus stop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and trained in the data controller’s policies for the storage and management of data. Patient charts released to consultants are to be signed for on receipt and are to be chased for return within a week and weekly thereafter.

Reason for action

The CD was unencrypted and not password protected. The patient charts it contained were several years old. It was unclear how exactly the CD had came to be made. Any patient charts released to consultants would not be chased for return for a month.

When

19 August 2010

Links

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Breach Watch Archive)

The Children’s Mutual

Posted on by

What

Loss of sensitive personal information.

How much

One record.

Why

An annual account statement was accidently sent to an incorrect address.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff with access to personal data are made aware of policies regarding its storage and use and that regular reports shall be run in order to identify any address mismatches.

Reason for action

Enquiries revealed that the data controller had not implemented adequate reporting procedures to identify these sorts of discrepancies.

When

19 August 2010

Links

View PDF of the Children’s Mutual Undertaking (Via ICO Website)

View PDF of the Children’s Mutual Undertaking (Breach Watch Archive)

Birmingham Children’s Hospital NHS Foundation Trust

Posted on by

What

Loss of sensitive personal information.

How much

17 records.

Why

Theft of two unencrypted laptops from the Medical Day Centre.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that additional measures are put to in place to ensure that data security policies are adhered to consistently. Any portable media must be suitably encrypted, or, if this is impossible due to the functions required, physical security must compensate for the additional risk.

Reason for action

This event followed a previously self reported security breach. The laptops were unencrypted and insufficiently secure.

When

14 July 2010

Links

Birmingham Children’s Hospital NHS Foundation Trust (Via ICO Website)

Birmingham Children’s Hospital NHS Foundation Trust (Breach Watch Archive)

Buckinghamshire County Council

Posted on by

What
Loss of sensitive personal information.

How much
Two records.

Why
Loss of documents containing sensitive personal data included in a plastic wallet with flight and accommodation details given to a social work employee flying to another UK city.
Regulator
ICO

Regulatory action
Undertaking issued to ensure that a proper risk assessment is carried out prior to the removal from the office environment of documents containing sensitive personal data and that they are sufficiently secure in transit.

Reason for action
It was felt that the implications of including the case documents with the travel documents during the journey had been insufficiently considered.

When
8 July 2010

Links

West Sussex County Council

Posted on by

What
Loss of sensitive personal information.

How much
Unknown.

Why
Theft of an unencrypted laptop from an employee’s home

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store personal data are sufficiently encrypted and that staff are made aware of policies on data protection.

Reason for action
Enquiries revealed that the employee had not received any formal data protection/IT security training and was unaware of how to access the data controller’s secure network drive remotely. Although encrypted removable media was available to staff no technical measures were yet in place to enforce their use and it was also discovered that about 2,300 unencrypted laptops were likely to still be in use.

When
17 June 2010

Links
View PDF of West Sussex County Council Undertaking (Via ICO Website)

View PDF of West Sussex County Council Undertaking (Breach Watch Archive)

London Borough of Barnet

Posted on by

What
Loss of sensitive personal information.

How much
Over 9,000 records.

Why
Theft of an encrypted laptop and unencrypted USB and CDs from an employee’s home.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are sufficiently encrypted and that staff are suitably trained in the data controller’s policies on data protection, which must be regularly monitored.  Finally the data controller shall agree to a further audit by the ICO within the current fiscal year, to ensure that the requirements of this undertaking are met.

Reason for action
The employee had downloaded the data into the unencrypted devices without authorisation, though enquires revealed that insufficient measures were in place to prevent staff from doing so.

When
15 June 2010

Links
View PDF of London Borough of Barnet Undertaking (Via ICO Website)

View PDF of London Borough of Barnet Undertaking (Breach Watch Archive)

West Berkshire Council

Posted on by

What

Loss of sensitive personal data.

How much

Unknown.

Why

Loss of an unencrypted USB stick containing sensitive personal data. This was the second data security incident reported by the data controller within 6 months.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store sensitive personal data are encrypted to a sufficient standard.

Reason for action

The USB stick had been used in 2005 by a member of the data controller’s social work department and was not encrypted or password-protected. Although the data controller had provided encrypted USB sticks since 2006 it never required the return of previously used unencrypted media devices.

When

27 May 2010

Links

View PDF of West Berkshire Council’s Undertaking (Via ICO Website)

View PDF of West Berkshire Council’s Undertaking (Breach Watch Archive)