Tag Archives: Loss of Sensitive Personal Data

Southampton University Hospitals NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
Approximately 33,000 records.

Why
An unencrypted laptop was stolen from a retinal screening vehicle.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The vehicle was left unlocked and unattended during the theft.

When
14 December 2009

Links
View PDF of the Southampton University Hospitals NHS Trust Undertaking (Breach Watch Archive)

Bellgrange Mortgages & Insurance Services Ltd

Posted on by

What
Loss of sensitive personal data.

How much
A number of records.

Why
Paper documents containing client details were inappropriately disposed of in waste bins intended for the use of local residents.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The documents were left in the waste bins overnight prior to their collection by the waste disposal contractor. Following their discovery the documents were either returned to Bellgrange or destroyed.

When
9 December 2009

Links
View PDF of the Bellgrange Mortgages & Insurance Services Ltd Undertaking (Breach Watch Archive)

Shropshire Council

Posted on by

What
Loss of sensitive personal data.

How much
3,742 records.

Why
An unencrypted memory stick containing a social care management database was lost during a postal transfer from the Council’s offices to a regular contractor based in Cardiff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Databases must only contain information relevant for their purpose and the purpose of transfer. Where possible sensitive personal data should be accessed remotely or hand-delivered. All other post should be adequately tracked and protected. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
Sensitive data was transferred onto the password protected but unencrypted memory stick in breach of council procedure. The memory stick was sent in inadequately protected packaging, and contained records that were excessive for their purpose and out of date.

When
3 December 2009

Links
View PDF of the Department of the Shropshire Council Undertaking (Breach Watch Archive)

Department of Finance and Personnel

Posted on by

What
Loss of sensitive personal data.

How much
37,000 records.

Why
12 password protected laptops were stolen, two of which contained significant personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The laptops were unencrypted, although they were physically secure.

When
30 November 2009

Links
View PDF of the Department of the Finance and Personnel Undertaking (Breach Watch Archive)

Orbit Heart of England Housing Association

Posted on by

What
Loss of sensitive personal data.

How much
1,000 records.

Why
57 paper files went missing at the time of an office move, although 42 of them had been recovered intact.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all staff are made aware of and, trained to follow, the data controller’s new procedures with regards to office moves.

Reason for action
Investigations revealed that no inventory of files had been made prior to the move, so staff were initially uncertain as to how many files should have been received at the new office and that many of the files had not be unpacked after 6 months.

When
30 November 2009

Links
View PDF of the Orbit Heart of England Housing Association Undertaking (Breach Watch Archive)

Waseley Hills High School and Sixth Form center

Posted on by

What
Loss of sensitive personal data.

How much
1,170 records.

Why
An unencrypted school laptop computer containing the personal and sensitive personal data of 984 pupils and 186 members of staff was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The laptop was unencrypted.

When
24 November 2009

Links
View PDF of the Waseley Hills High School and Sixth Form Undertaking (Breach Watch Archive)

Great Yarmouth & Waveney Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
1,000 records.

Why
Two desktop computers were stolen from premises with minimal security.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted and password protected. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The desktop computers were both unencrypted and without password protection. The data held on these computers should have been held on a network server. The premises where the computers were stored had no intruder alarm or security locks.

When
3 November 2009

Links
View PDF of the Great Yarmouth & Waveney Primary Care Trust Undertaking (Breach Watch Archive)

Ashford & St Peter’s Hospitals NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
A number of records.

Why
Three unencrypted USB memory sticks were lost or stolen over a period of several weeks between 28 May and 26 June 2009.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action

The USB sticks were unencrypted and their loss was not formally reported to the data controller’s management until after the third incident in lane June 2009. The investigation into these incidents revealed a lack of understanding and awareness among staff of the requirements of data protection legislation. It was also revealed that staff had not received any formal data protection training.

When
20 October 2009

Links
View PDF of the Ashford & St Peter’s Hospitals NHS Trust Undertaking (Breach Watch Archive)

Maidstone and Tunbridge Wells NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 33 records.

Why
An unencrypted laptop was stolen from the Audiology Department. Three other encrypted laptops belonging to the data controller had also been stolen a month prior.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that within six months any personal data held on a laptop computer or any other removable media by the data controller is identified and encrypted.

Reason for action

Sensitive data was transferred to the memory stick in breach of Council procedure and was not password protected. The employee intended to use the data to work at home, but lost it during his commute.

When
16 October 2009

Links
View PDF of the Maidstone and Tunbridge Wells NHS Trust Undertaking (Breach Watch Archive)

Glouchestershire Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 2,270 records.

Why
Six unencrypted desktop computers containing personal data relating to 2,270 patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The computers were password protected but not encrypted. The patient data should have been held on a local server rather than on the hard drives of the stolen computers.

When
15 October 2009

Links
View PDF of the Glouchestershire Primary Care Trust Undertaking (Breach Watch Archive)