Tag Archives: Loss of Sensitive Personal Data

Leicester City Council

Posted on by

What
Loss of sensitive personal data.

How much
About 80 records.

Why
An unencrypted USB memory stick containing data relating to about 80 children was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Staff must be suitable trained in these internal policies and sufficient supervisory checks must be put into place to ensure adherence.

Reason for action
The storage of personal data on an unencrypted USB stick was contrary to council policies and procedures, which required all such devices to be purchasing centrally through its IT department and encrypted.

When
7 May 2009

Links
View PDF of the Leicester City Council Undertaking (Breach Watch Archive)

Doncaster Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 220,000 records.

Why
An obsolete out of hours GP service voice recording server that held the personal data of patients was removed without authorisation.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Adequate physical security measures must be put in place to protect such devices.

Reason for action
The obsolete server was removed by an external contractor’s engineer who installed a new server. The obsolete server was not missed until 3 weeks later when the new server failed. During this time the obsolete server was out of the Trust’s control for almost 3 weeks during which time it was briefly booted up twice. It is unlikely the clinical voice records it contained were accessed however.

When
27 April 2009

Links
View PDF of the Doncaster Primary Care Trust Undertaking (Breach Watch Archive)

Leasowes Community College

Posted on by

What
Loss of sensitive personal data.

How much
About 1,500 records.

Why
A unencrypted USB memory stick containing the personal data of pupils was found by a member of the public.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all storage devices must be sufficiently encrypted. All staff must receive adequate training in order to fulfil their obligations under such a policy.

Reason for action
The USB stick was of poor quality and unencrypted. It does not appear to have been missed and adequate relevant policies and staff training were not in place.

When
20 April 2009

Links
View PDF of the Leasowes Community College Undertaking (Breach Watch Archive)

The University of Manchester

Posted on by

What
Loss of sensitive personal data.

How much
About 2,300 records.

Why
A computerised spreadsheet containing the personal data of some 1,755 was published when it was accidently sent as an attachment of an email by a member of the University staff and forwarded to some 469 students..

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. Policies on the transfer, sharing and publication of personal data must me made clear and all staff must receive adequate training in order to fulfil their obligations under such policies.

Reason for action
The data controller did not on this occasion ensure that adequate measures were taken to prevent the inappropriate internal transfer of the information.

When
15 April 2009

Links
View PDF of the University of Manchester Undertaking (Breach Watch Archive)

Central Lancashire Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
6,360 records.

Why
An encrypted memory stick containing data relating to medical treatment was lost by a member of staff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed and that mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the loss of the data in question. The memory stick had a “Post it” sticker adhered to it containing the applicable password for the use of the stick.

When
8 April 2009

Links
View PDF of the Central Lancashire Primary Care Trust Undertaking (Breach Watch Archive)

Hull and East Yorkshire Hospitals NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 2,300 records.

Why
In the first incident an unencrypted desktop PC containing personal data relating to about 300 patients was lost during refurbishment. On the second occasion a disused unencrypted laptop containing personal relating to 2,000 patients from prior to January 2007, was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. Personal data must not be held on any media for any longer than needed. All staff must receive adequate data protection training and be reminded of internal policies regularly.

Reason for action
The data controller did had in place policies and procedures relating to data security and the storage and transfer of equipment and data, which were not followed in either instance.

When
7 April 2009

Links
View PDF of the Hull and East Yorkshire Hospitals NHS Trust Undertaking (Breach Watch Archive)

The British Council

Posted on by

What
Loss of sensitive personal data.

How much
22,000 records.

Why
An unencrypted computer data storage disc containing personal data relating to 2,000 staff, including trade union membership, was lost in transit by a courier service.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed either by the data controller or any third parties. Mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
Although the disc was lost by a third party, the council had failed to ensure that the disc was encrypted to a minimum standard.

When
7 April 2009

Links
View PDF of the British Council Undertaking (Breach Watch Archive)

Cambridge University Hospitals NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
741 records.

Why
An unencrypted memory stick containing the personal data of patients was left unattended in a car and found by a car wash attended to was able to access the device and establish its ownership.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed by the Trust. Mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the unauthorised transfer of data onto a non-trust owned, unencrypted memory stick.

When
03 April 2009

Links
View PDF of the Cambridge University Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

Stockport NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
1,588 records.

Why
An unencrypted laptop containing sensitive personal data was stolen from a locked hospital room.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented. All such devices must be registered with the IT department. All staff must receive adequate data protection training.

Reason for action
The laptop was password protected but not encrypted. It had not been locked in a cabinet as was usual but was stored in a covered box under the desk. The laptop did not appear to have been registered with the Trust’s IT department.

When
25 March 2009

Links
View PDF of the Stockport NHS Foundation Trust Undertaking (Breach Watch Archive)

2gether NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
56 records.

Why
Four desktop computers, one laptop and a memory stick  containing sensitive personal data relating to patients were stolen from a locked room in the Trust’s building.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented  All staff must receive adequate data protection training.

Reason for action
The laptop and memory stick were not encrypted, or locked away out of site, contrary to Trust policy.

When
24 March 2009

Links
View PDF of the 2gether NHS Foundation Trust Undertaking (Breach Watch Archive)