Tag Archives: Loss of Sensitive Personal Data

Foyle Women’s Aid

Posted on by

Breach details

What Confidential client information contained in a folder was left at a cafe.
How much A folder containing information on one case.
When June 2012
Why A lack of effective controls and procedures for taking information out of the office contributed to the loss of this personal data. Excessive information was also being transported as the folder contained personal data not relevant to the scheduled meetings. However, there were general polices and procedures in place and the support worker had received relevant training. The support worker was also acting against previous instructions given by Foyle Women’s Aid.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 13 August 2013.
Details Foyle Women’s Aid will immediately implement a formal policy covering the use of personal data outside of the office and provide training to their staff; compliance with these policies shall be regularly monitored. Portable devices used for the storage and transmission of personal data must be encrypted. Physical and other security measures must also be implemented to protect against unauthorised access to personal data.

Links

View PDF of the Foyle Women’s Aid Undertaking (Breach Watch Archive)
View PDF of the Foyle Women’s Aid Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 19 November 2013.
View PDF of the Foyle Women’s Aid Follow Up (Breach Watch Archive)
View PDF of the Foyle Women’s Aid Undertaking Follow Up (Via ICO Website)

Derbyshire, Leicestershire and Nottinghamshire Police Forces

Posted on by

Breach details

What The theft of laptops containing sensitive personal data including prison records and offender details.
How much Approximately 4,500 records held on eight laptops.
When 14 August 2010.
Why These police forces were part of the East Midlands Collaboration Unit (EMCU), whose offices were burgled in August 2010. Eight laptops belonging to seconded offices were stolen; they had not been stored in available lockable containers and two were unencrypted. Derbyshire and Leicestershire Police had not undertaken their own risk assessments and relied on the security measures of Nottingham Police. However, this did not specify that laptops should be encrypted, made no provision for locking them in containers, and did not monitor the offices during this period.

Regulatory action

Regulator ICO
Action Enforcement Notice issued to limit the sharing of personal data.
When 18 June 2013
Details These police forces shall only share personal data as part of a collaborative project if a Senior Information Risk Owner has been appointed to oversee the work and risk assess the premises; laptop and other portable electronic security devices are encrypted; and all officers involved in the project are given appropriate training. These measures should been implemented within 35 days.

Links

View PDF of the Derbyshire Police Enforcement Notice (Breach Watch Archive)
View PDF of the Derbyshire Police Enforcement Notice (Via ICO Website)
View PDF of the Leicestershire Police Enforcement Notice (Breach Watch Archive)
View PDF of the Leicestershire Police Enforcement Notice (Via ICO Website)
View PDF of the Nottinghamshire Police Enforcement Notice (Breach Watch Archive)
View PDF of the Nottinghamshire Police Enforcement Notice (Via ICO Website)

NHS Surrey

Posted on by

Breach details

What Loss of personal data and sensitive personal data.
How much Approximately 1,570 hard drives. An unspecified number of records.
When 08 March 2010 – 02 July 2012
Why Between 08 March 2010 and 28 May 2012 hard drives containing sensitive personal data were collected for destruction and disposal by a company claiming to specialise in IT disposal. On 29 May 2012 it was found that PCs containing these hard drives were being sold by a third party company via an online auction site. So far ten of the supposedly destroyed hard drives have been reclaimed. The data controller has been unable to trace the destinations of the remaining PCs.

BW Comments

Disposal of drives is a recurring topic for information security professionals and the Commissioner. As it is easy to select a company with independent certification it really is unbelievable that organisations continue to contract with random companies that claim to offer destruction services. This MPN should also act as a reminder that a ‘certificate of destruction’ is just a piece of paper – there’s no substitute for watching your old hard drives being put through an industrial shredder.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 18 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: NHS Surrey failed to ensure the physical destruction of personal data stored on its hard drives. No proper risk assessment of the data processor was taken; there was no written contract with the data processor requiring the company to comply with regulations; and NHS Surrey did not take appropriate steps to ensure complaince with the regulations.
Known or should have known NHS Surrey was used to dealing with confidential and personal data on a daily basis and should have known that there was a risk that contravention could occur unless reasonable steps were taken, particularly as some of the ‘Data Devices Destroyed’ certificates issued before January 2011 stated that the hard drives had been ‘wiped/destroyed/recycled’. This project should have been afforded the highest level of security.
Likely to cause damage or distress Data subjects are likely to have suffered substantial distress knowing that their personal data has been retrieved by a member of the public and might have been offered for sale to unauthorised third parties. They could also be concerned that their data might be further disseminated.

BW Observations

This case is very similar to the Brighton and Sussex University Hospitals NHS Trust case, although here NHS Surrey moved quickly to rectify the problem and didn’t compound the problem by its own actions. In the MPN the ICO made an indirect reference to the Brighton and Sussex case but levied only 60% of the penalty (£200K vs £325K) on NHS Surrey for losing a around 60% more disks (1,570 vs 1,000).

Links

View PDF of the NHS Surrey Monetary Penalty Notice (Breach Watch Archive)
View PDF of the NHS Surrey Monetary Penalty Notice (Via ICO Website)

Stockport Primary Care Trust

Posted on by

Breach details

What Patient identifiable data was left in a decommissioned building.
How much About 1000 records, including 200 containing highly sensitive personal data.
When 2010-2011
Why Boxes of paper records were left in a decommissioned building, in full view of prospective purchasers of the building. The eventual purchaser opened the boxes and discovered the information, some relating to people known by the purchaser.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against the accidental loss of 1,000 documents, some of them containing sensitive personal data.
Known or should have known The NHS trust was used to handling sensitive personal data and would have known such information was stored on the site but did not take ‘reasonable steps’ to safeguard the data such has having a decommissioning policy.
Likely to cause damage or distress There was the potential for substantial distress as data subjects would know that their sensitive personal data had been accessed by an unauthorised party and that the data might be further disseminated. This was exacerbated as some data subjects were known to the data controller.

Links

View PDF of the Stockport Primary Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Stockport Primary Care Trust Monetary Penalty Notice (Via ICO Website)

The Burnett Practice

Posted on by

Breach details

What Names and email addresses.
How much About 175 records.
When 3 October 2012 or earlier
Why The email service provider that the practice used wasn’t suitable to send sensitive medical results because it didn’t provide the appropriate technical security measures. As a result the practice’s email account was hacked.

BW Comments

Organisations should view this as an indication that if cloud-based, web-email services are used, services that offer two-factor authentication (e.g. Google Authenticator) should be selected.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 26 April 2013
Details The practice must use secure means of communication for test results – email can only be used if its security can be guaranteed. A security policy that is adequate to transfer patient data securely must be put in place, and staff must be made aware of this and trained.

BW Observations

Based on previous decisions, the loss of 175 medical records would seem to be a candidate for a Monetary Penalty rather than an undertaking. However, in this case the Commissioner would have struggled to satisfy the ‘known or should have known’ test given that most people (incorrectly) assume their email is generally safe from third party attack.

Links

View PDF of The Burnett Practice Undertaking (Breach Watch Archive)
View PDF of The Burnett Practice Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 17 October 2013.
View PDF of the Burnett Practice Undertaking Follow Up (Breach Watch Archive)
View PDF of the Burnett Practice Undertaking Follow Up (Via ICO Website)

East Riding of Yorkshire Council

Posted on by

Breach details

What Sensitive personal data was inappropriately disclosed.
How much One record and one verbal remark.
When April/May 2012
Why Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 4 April 2013
Details Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary.

Links

View PDF of the East Riding of Yorkshire Council Undertaking (Breach Watch Archive)
View PDF of the East Riding of Yorkshire Council Undertaking (Via ICO Website)

Nursing and Midwifery Council

Posted on by

Breach details

What Loss of sensitive personal data (medical and details relating to legal proceedings).
How much Unspecified but small number of records including two vulnerable children’s details. Details and allegations against a medical practitioner.
When 07 October 2011
Why In an echo of the infamous HMRC breach of 2007, three DVDs containing unencrypted data relating to a ‘fitness to practice hearing’ went missing somewhere between the Nursing and Midwifery Council’s offices and the hotel where the hearing was due to take place. Although the package was sent by courier, the data on the DVDs was unencrypted.

BW Comments

Two of the fundamental lesons that every Data Controller should have learned from the HMRC breach were:

  1. Always use couriers when sending personal data on physical media.

  2. Always encrypt data on physical media such as CDs or DVDs.

Although the Nursing and Midwifery Council use a courier, the sensitive personal data was not encrypted. As soon as anything went wrong, enforcement action was bound to follow.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 12 February 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against unauthorised processing of personal data, such as encrypting the data on the DVDs.
Known or should have known The Council was used to dealing with sensitive data and was aware of the potential damage release of the data would cause. The Commissioner also highlighted his own guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress The DVDs contained the medical information of third parties, including two vulnerable children. The Commissioner repeated his usual argument that data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may be further disseminated and possibly misused.

BW Observations

Receiving the report of DVDs that appeared to go missing between a sender and recipient will have caused a stressful outbreak of déjà vu in Wilmslow. Although the data lost related to very few individuals, the sensitivity of the data had a bearing on the amount of the penalty. Organisations should be under no illusions that sending any unencrypted personal data on physical media will attract a monetary penalty.

Links

View PDF of the Nursing and Midwifery Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Nursing and Midwifery Council Monetary Penalty Notice (Via ICO Website)

Leeds City Council

Posted on by

Breach details

What Personal and sensitive (health) personal data.
How much An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details.
When Not specified.
Why During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem.

BW Comments

If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 30 November 2012
Details The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data.

BW Observations

It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty.

Links

View PDF of the Leeds City Council Undertaking (Breach Watch Archive)
View PDF of the Leeds City Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 20 May 2013
View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive)
View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website)

Prospect

Posted on by

Breach details

What Loss of sensitive personal information (Union membership).
How much About 19,000 records.
When 08 Dec 2011
Why Two files containing member data were sent as part of a tendering process to an unknown email address in error. The files were encrypted but the password was also sent seperately to the same address.

BW Comments

This breach illustrates two issues that all Data Controllers need to be aware of. The first is that test data should always be anonymised, not only does it increase the risk of breaching the seventh principle, but it will also breach the first and second principles; although interestingly the ICO only took action in respect of the seventh principle. Secondly, any encryption is only as good as the key (password) management – passwords should always be sent at a minimum by a separate channel.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 16 Jan 2013
Details The data controller to ensure that adequate policies are in place to cover transfer of data to third parties, that such data is minimised and anonymised, that all staff receive data protection training, and that appropriate security measures are in place to protect personal data.

BW Observations

Although this was a sizeable breach of some 19,000 records of sensitive personal data, the ICO obviously decided that an undertaking was more appropriate given the potential harm that could result.

Links

View PDF of the Prospect Undertaking (Breach Watch Archive)
View PDF of the Prospect Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 15 May 2013
View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive)
View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website)

Isle of Anglesey County Council

Posted on by

Breach details

What Loss of personal data and in one case loss of sensitive personal data.
How much Unknown
When Several incidents in early 2012
Why Documents containing personal data were inappropriately disclosed or disposed of, or put at risk of unauthorised access. The council had an out of date data protection policy, and provided insufficient data protection training.

BW Comments

The undertaking is very vague, and doesn’t provide specific details of what happened to cause the data losses, or why.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 20 December 2012
Details The data conroller is to ensure that all policies and procedures are up to date and in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

BW Observations

It is almost as if the council, as part of its self-reporting, suggested the necessary remedial action.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)
View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)