Brighton and Sussex University Hospitals NHS Trust

Posted on 1 June 2012 by BreachMaster

Breach details

What	Loss of sensitive personal information.
How much	79,000 records.
When	March 2008
Why	Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 325,000
When	1 June 2012

Why the regulator acted

Breach of act	Failure to select a data processor able to provide gurantees of technical security – loss of hard drives. Inappropriate organisational and technical measures.
Known or should have known	Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress	Medical Data of Patients.

Links

View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Via ICO Website)

View the Brighton and Sussex University Hospitals response to the penalty (external archive)

Pharmacyrepublic Ltd

Posted on 27 May 2012 by BreachMaster

What

Loss of sensitive personal data.

How much

Approximately 2,000 records.

Why

Theft of a patient medication record system.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate procedures are put in place to ensure that PMR pharmacy data is securely handled prior to any future transfer of pharmacy ownership. All staff must be made aware of the data controller’s procedures for the safe storage and retrieval of personal data.

Reason for action

The PMR system was stolen for the pharmacy while it was undergoing a transfer of ownership. Although the PMR was password protected the data controller had not taken adequate steps to safely retrieve the PMR system and return it to the wholesale company, whom they had been paying a monthly retainer to, prior to the transfer of ownership process.

When

27 Mar 2012

Links

View PDF of the Pharmacyrepublic Ltd Undertaking (Via ICO Website)

View PDF of the Pharmacyrepublic Ltd Undertaking (Breach Watch Archive)

London Borough of Barnet

Posted on 15 May 2012 by BreachMaster

Breach details

What	Loss of sensitive personal information.
How much	15 records.
When	23 April 2011
Why	Paper records relating to vulnerable children were stolen from a social worker’s home. Although it was accepted that the paper records needed to be taken home and that there was a policy in place to cover it, it was felt that the policy did not address the risk identified by this security breach.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 70,000
When	15 May 2012

Why the regulator acted

Breach of act	Loss of paper records. Inappropriate organisational and technical measures.
Known or should have known	Staff were aware of the sensitive nature of the data they dealt with and that it was often necessary for paper records to be taken out of the office.
Likely to cause damage or distress	Data relating to child exploitation.

Links

View PDF of the London Borough of Barnet Monetary Penalty Notice (Breach Watch Archive)

View PDF of the London Borough of Barnet Monetary Penalty Notice (Via ICO Website)

Aneurin Bevan Health Board

Posted on 30 April 2012 by BreachMaster

Breach details

What	Loss of sensitive personal data.
How much	One records.
When	24 March 2011
Why	A secretary accidentally sent a letter containing sensitive personal information to the wrong person. The correct patient’s surname had been spelt two different ways by a doctor and the letter lacked any other identifiers, and the secretary accidently chose the wrong record from the electronic patient record system.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 70,000 Undertaking issued to ensure that the checking processes to confirm patient identity prior to issuing correspondence, recommended by an internal investigation, must immediately be adopted across all the data controller’s sites.
When	30 April 2012

Why the regulator acted

Breach of act	Letter sent to the wrong recipient. Letters should not be dispatched without being checked by management. Inappropriate organisational and technical measures.
Known or should have known	Staff were used to dealing with sensitive data, but management allowed secretaries to simply rely on the electronic system rather than double checking.
Likely to cause damage or distress	Medical data.

Links

View PDF of the Aneurin Bevan Health Board Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Aneurin Bevan Health Board Monetary Penalty Notice (Via ICO Website)

View PDF of the Aneurin Bevan Health Board Undertaking (Breach Watch Archive)

View PDF of the Aneurin Bevan Health Board Undertaking (Via ICO Website)

Leicestershire County Council

Posted on 17 April 2012 by BreachMaster

What

Loss of sensitive personal data.

How much

18 records.

Why

A briefcase, containing documents to be used for initiating court proceedings, was stolen from a social worker’s house during a burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that existing policies should be amended to include detailed guidance relating to the security of paper documents whilst home working and that staff receive sufficient training and follow these guidelines.

Reason for action

While the social worker had asked for, and received, permission from his manager to take the documents home with him, policies had been put in place to train staff in how to secure documents outside of the office. While the manager had received this training, the social worker had not.

When

17 Apr 2012

Links

View PDF of the Leicestershire County Council Undertaking (Via ICO Website)

View PDF of the Leicestershire County Council Undertaking (Breach Watch Archive)

Hertfordshire County Council

Posted on 11 April 2012 by BreachMaster

What

Loss of sensitive personal data.

How much

Unknown.

Why

An Attendance and Pupil Support consultation folder was lost in January 2011.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices used to store personal data are sufficiently encrypted. Hard copy documentation must only be removed from council premises when absolutely necessary.

Reason for action

Despite the incident occurring in January 2011, the relevant department within the Council did not share the outcome of their investigation with the Data Protection Team until August 2011. The investigation also revealed that the officer who lost the folder was transporting excessive information.

When

11 Apr 2012

Links

View PDF of the Hertfordshire County Council Undertaking (Via ICO Website)

View PDF of the Hertfordshire County Council Undertaking (Breach Watch Archive)

South London Healthcare NHS Trust

Posted on 11 April 2012 by BreachMaster

What

Loss of sensitive personal data.

How much

Approximately 750 records

Why

Two unencrypted memory sticks were lost, one two separate occasions. A clipboard of ward lists was left in a grocery store and some patient paper files were inadequately secured when not in use.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices containing personal data are encrypted to a sufficient standard and that staff are made aware of, and trained in, data protection policies.

Reason for action

On all of these occasions, staff were either unaware that the memory sticks they used should have been encrypted, or had removed or failed to secure data in breach of in-place policies.

When

11 Apr 2012

Links

View PDF of the South London Healthcare NHS Trust Undertaking (Via ICO Website)

View PDF of the South London Healthcare NHS Trust Undertaking (Breach Watch Archive)

St Georges Healthcare NHS Trust

Posted on 27 March 2012 by BreachMaster

What
Loss of sensitive personal data.

How much
22,000 records.

Why
6 unencrypted laptops containing the personal data of a number of patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data. Mobile media devices must be encrypted to a suitable standard. Adequate checks must be carried out on contractor’s staff. All staff must receive adequate data protection training.

Reason for action
Due to network connection problems patient data had been stored on laptop C drives contrary to Trust policy and was not encrypted.

When
27 March 2009

Links
View PDF of the St Georges Healthcare NHS Trust Undertaking (Breach Watch Archive)

The Highland Council

Posted on 17 March 2012 by BreachMaster

What
Loss of sensitive personal data.

How much
A few records.

Why

Sensitive personal data relating to several members of one family had been inadvertently disclosed, to an unrelated individual. This occurred because several members of both families, who lived in the same small village, submitted subject access requests to the data controller at roughly the same date.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that a full briefing of subject access requests is provided to covering officers and a formal log of all requests is kept and made easily accessible.

Reason for action

The officer who usually dealt with such requests went on leave before full responses had been sent, and enquiries revealed that the covering officer had not been made aware that more than one request was outstanding from someone in the village. When information relating to one family was provided the covering officer assumed it was related to the other family, to whom he had earlier sent some documents left for him by his absent colleague.

When
17 March 2010

Links
View PDF of the Highland Council Undertaking (Breach Watch Archive)

The Lancaster Constabulary

Posted on 14 March 2012 by BreachMaster

Breach details

What	Loss of sensitive personal data.
How much	“Several” records.
When	17 July 2011
Why	xxx.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 70,000 Undertaking issued to ensure that hard copy documentation contains the minimum amount of personal data necessary and is only taken out of the station when absolutely necessary. A written policy detailing these responsibilities must be produced and staff must be trained in these policies.
When	14 March 2012

Why the regulator acted

Breach of act	Report lost and printed in a newspaper. Inappropriate organisational and technical measures.
Known or should have known	Policies in place marked such data as highly sensitive, but no policies were in place to cover security outside of the station.
Likely to cause damage or distress	Report related to vulnerable children and sex crimes.

Links

View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Breach Watch Archive)

View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Via ICO Website)

View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Breach Watch Archive)

View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Via ICO Website)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500