Tag Archives: Loss of Sensitive Personal Data

Stoke-on-Trent City Council

Posted on by

Breach details

What Loss of sensitive personal information.
How much 11 records.
When 14 December 2011
Why 11 unencrypted emails relating to a child protection case were sent to the wrong email address by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
Enforcement notice issued to ensure that a training program to make staff aware of data protection security procedure is arranged within 35 days.
When 25 October 2012

Why the regulator acted

Breach of act Failure to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to train employees appropriately and provide a secure means of sending email.
Known or should have known Staff were used to handling confidential and sensitive personal data and the danger of sending unencrypted email, which the data controller was aware was occuring, should have been self evident.
Likely to cause damage or distress Data was confidential and highly sensitive and related to an ongoing legal case.

Links

View PDF of the Stoke-on-Trent City Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Stoke-on-Trent City Council Monetary Penalty Notice (Via ICO Website)
View PDF of the Stoke-on-Trent City Council Enforcement Notice (Breach Watch Archive)
View PDF of the Stoke-on-Trent City Council Enforcement Notice (Via ICO Website)

Greater Manchester Police

Posted on by

Breach details

What Loss of sensitive personal data relating to criminal activities.
How much 1,075 records
When 17 July 2011
Why Theft of an unencrypted memory stick from an officer’s home.

BW Comments

It is really hard to stop the use of unencrypted media unless its use is blocked by an endpoint protection software and encrypted USB drives are issued to everyone that needs them. Having a written policy that is not enforced is useless.
This is most clearly illustrated by paragraph 8 of the Monetary Penalty Notice: after the security breach the police force had an ‘unencrypted USB memory drive amnesty’ and recovered 1,100 such USB drives – despite having a policy stating that such drives should not be used.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000.
When 13 September 2012

Why the regulator acted

Breach of act A number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office.
Known or should have known Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
Likely to cause damage or distress The memory stick contained highly sensitive personal data relating to people with links to serious crime investigations.

BW Observations

Given the apparent endemic use of unencrypted media by the force the fine appears to be on the low side of what the commissioner could have levied. The ICO reported the MPN when it was paid, as the original date of issue coincided with the loss of two of the force’s police officers.

Links

View PDF of the Greater Manchester Police Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Greater Manchester Police Monetary Penalty Notice (Via ICO Website)

Norwood Ravenswood Ltd

Posted on by

Breach details

What Loss of sensitive personal data.
How much Four records.
When 5 December 2011
Why A Social Worker left background reports relating to four young children outside the home of prospective adopters in a concealed place, since they were not in. When the prospective adopters arrived home about 30 minutes later the package had disappeared..

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 10 October 2012

Why the regulator acted

Breach of act Despite an existing policy, there was no specific guidance relating to sending personal data to prospective adopters. The social worker in question had not recieved any data protection training, despite a commitment to it being provided existing in the data controller’s policy.
Known or should have known The data controller had an overarching data protection policy which staff were aware of, even if specific guidence was not given. The sensitivity of staff’s work would have been self evident.
Likely to cause damage or distress The background reports contained detailed, confidential and highly sensitive personal data relating to the children and their birth families, including medical histories and details of any abuse or neglect. At this time, the reports have not been found.

Links

View PDF of the Norwood Ravenswood Ltd Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Norwood Ravenswood Ltd Monetary Penalty Notice (Via ICO Website)

Enfield Council: Confidential Files Found in Disused Building

Posted on by

What
Loss of sensitive personal data

How much
Unknown.

Why
Confidential social services files were found in an abandoned Enfield town hall currently in use as a film set. The files were labelled “Foster panel minutes” and “Adoption files”, and marked “strictly private and confidential”. They included details of parents turned down for adoption, the phone numbers and addresses of vulnerable people on the service’s register, and financial information.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

Personnel files found in Llandudno skip

Posted on by

What
Loss of sensitive personal data

How much
Unknown.

Why

Personnel files from a nightclub were found blowing out of a skip. A member of the public gave two sample files to the Daily Post. The files included phone numbers, addresses, National Insurance numbers, copies of riving licences with a photocopied photograph and an email address.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

Scottish Borders Council

Posted on by

Breach details

What Loss of sensitive personal data.
How much 676 records.
When 10 September 2011
Why A member of the public noticed that a paper recycling bank had been overfilled with discarded files that contained personal information. Investigation showed that eight boxes containing 676 files had been deposited in the recycling bank by a data processor working for the council.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000£ 0
Overturned on appeal to the Information Rights Tribunal
When 11 September 2012

Why the regulator acted

Breach of act There was no contract in place between the data controller and the data processor. Documents scanned for the data controller by the data processor should have been disposed of securely, or returned in person.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees, including financial data and details of a pension scheme. The seriousness of such data should have been self evident.
Likely to cause damage or distress Financial and Medical data. The arrangement had been in place since 2005 and approximately 9000 pension records would have been processed and possibly incorrectly disposed of.

Appeal

The MPN was overturned on appeal to the Information Tribunal.
View PDF of the Scottish Borders Council Appeal (Information Tribunal)

Links

View PDF of the Scottish Borders Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Scottish Borders Council Monetary Penalty Notice (Via ICO Website)

Torbay Care Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much 1,373 records.
When April 2011
Why Sensitive personal information relating to 1,373 employees was published on the Trust’s website in an excel spreadsheet intended to display equality and diversity metrics. This information was publicly available for over 19 weeks.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000
When 6 August 2012

Why the regulator acted

Breach of act Staff received no guidance as to what information should not be published. No checking processes were in place to prevent excessive information being published.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees and should have recognised the potential for human error when uploading data to its website in the absence of appropriate security measures.
Likely to cause damage or distress Financial and Medical data. May have been accessed by untrustworthy third parties.

Links

View PDF of the Torbay Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Torbay Care Trust Monetary Penalty Notice (Via ICO Website)

St George’s Healthcare NHS Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much Two records.
When 2011
Why Two letters containing confidential and highly sensitive personal data, relating to the subject’s medical condition, were sent to the wrong address, at which the subject had resided at 5 years previous. The patient’s current address had been provided when the patient was first referred to the data controller for a medical examination. It was also logged into the NHS SPINE, which was not aligned with iClip, the local patient administrative program. Staff involved with compiling the incorrectly addressed letters had received iClip training and were aware that addresses were not always in sync with SPINE, but no verbal checks of the data subject’s address were made.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 12 July 2012

Why the regulator acted

Breach of act Staff were not trained in the importance of checking names and addresses and the PDS function on iClip could be bypassed.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases and it was known that many staff found the iClip system difficult to use and tended to bypass or disable the PDS.
Likely to cause damage or distress Medical data.

Links

View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Via ICO Website)

Belfast Health and Social Care Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much About 10,000 records.
When May 2010
Why Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 225,000
When 19 June 2012

Why the regulator acted

Breach of act Site was insufficiently secure to prevent intrusion.
Inappropriate organisational and technical measures.
Known or should have known The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.
Likely to cause damage or distress Medical records and financial data of employees.

Links

View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Via ICO Website)

Telford & Wrekin Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal data.
How much Two records over two incidents.
When 31 March 2011
Why On the first occasion a Social Worker sent a Social Care Core Assessment report to the child’s sibling instead of the mother. A second incident was reported by the Council to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother, in this incident the authority decided to move the children to a different foster carer.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 6 June 2012

Why the regulator acted

Breach of act There was no formal checking process in place to prevent documents being sent to the wrong recipients . Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases on a daily basis and were aware of the sensitivity of the data being handled. Two separate incidents occurred in 2 months.
Likely to cause damage or distress Data relating to vulnerable child in foster care.

Links

View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Via ICO Website)