Tag Archives: Loss of Sensitive Personal Data

Community Integrated Care

Posted on by

What

Loss of personal and sensitive personal data.

How much

40 records.

Why

Theft of an unencrypted laptop from a locked ground floor office in the Newcastle area.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile devices including laptops are encrypted to a sufficient standard. Physical security standards must be adequate to prevent unauthorised access to personal data.

Reason for action

The stolen laptop was password protected, but had not been encrypted, However the data controller proposed to improve physical software and implement encryption as a result of the incident.

When

01 March 2012.

Links

View PDF of the Community Integrated Care Undertaking (Via ICO Website)

View PDF of the Community Integrated Care Undertaking (Breach Watch Archive)

London Borough of Croydon

Posted on by

What

Loss of sensitive personal data.

How much

Unknown.

Why

A bag belonging to a social worker employed in the Council’s Children and Young Peoples’ Department was stolen from a public house in London. The bag contained a hard copy file of papers concerning a child in the care of the council.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will draft and implement a formal policy covering the storage, physical security, transportation, use and disposal of personal data outside of the office environment. Compliance with this policy must be monitored.

Reason for action

The Information Commissioner concluded that an apparent lack of effective controls and procedures for taking information out of the office was a major contributor to the loss of highly personal data. It was also felt that further staff trained was needed.

When

01 March 2012.

Links

View PDF of the London Borough of Croydon Undertaking (Via ICO Website)

View PDF of the London Borough of Croydon Undertaking (Breachwatch Archive)

Dr. Pervinder Sanghera of Arthur House Dental Care

Posted on by

What

Loss of personal and limited sensitive personal data.

How much

Unknown.

Why

An unencrypted USB stick containing records relating to patients and employees of Arthur House Dental Care was found in a public place. A number of spreadsheets containing personal data stored on the device were password protected.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store and transport personal data are sufficiently encrypted. Staff must be trained not to take data off site unless necessary.

Reason for action

The memory stick had been utilised as a temporary back-up solution when the existing electronic back-up system at the practice failed. As a result of the back-up failure the memory stick was moved from the dental practice to the data controller’s home for safekeeping on a number of occasions. It is likely the memory stick was lost in transit.

When

01 March 2012.

Links

View PDF of the Dr. Previnder Sanghera Undertaking (Via ICO Website)

View PDF of the Dr. Previnder Sanghera Undertaking (Breach Watch Archive)

Cheshire East Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One record.
When April 2011
Why An email containing sensitive personal information relating to an individual of concern to the police was distributed to 180 unintended recipients, due to mistaken forwarding of the email, following errors of communication in the “Potentially Dangerous Person Unit”.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 15 February 2012

Why the regulator acted

Breach of act Sensitive email mistakenly forwarded to over 180 recipients.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitivity of their work by its very definition, yet an assistant officer had not received any data protection training.
Likely to cause damage or distress Details could jeopardise the data subject’s livelihood.

Links

View PDF of the Cheshire East Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Cheshire East Council Monetary Penalty Notice (Via ICO Website)

Croydon Council

Posted on by

Breach details

What Croydon Council.
How much One record.
When 20 April 2011
Why A social worker’s bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. The data controller did not appear to have provided any information security training to the social worker involved and the onus was on staff to update their own knowledge and read the data controller’s policies in the intranet. No checks were made to ensure that staff had read or understood these police.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 13 Fenruary 2012

Why the regulator acted

Breach of act Loss of papers, which could disrupt an ongoing legal case.
Inappropriate organisational and technical measures.
Known or should have known It was clear staff would need to take sensitive data outside of the office, but there were no policies in place to ensure this was done securely.
Likely to cause damage or distress Information related to an ongoing legal case.

Links

View PDF of the Croydon Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Croydon Council Monetary Penalty Notice (Via ICO Website)

Norfolk Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One records.
When April 2011
Why A social worker in the Data Controller’s Children’s Service’s department intended to deliver a copy of a report on a conference to a child’s father, but accidently wrote the wrong address on an envelope and placed it through the door of the father’s neighbour. Although a policy was in place to provide guidance about sending personal data by post it was possible that the social worker was unaware of this as she had only been working in the department for 9 months and had not completed the mandatory e-training course on data protection. No process was in place to monitor trainin.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 13 February 2012

Why the regulator acted

Breach of act Even had policy been followed there was nothing to prevent the incorrect delivery of the wrongly addressed letter.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such self-evidently sensitive information, but no policies were in place to prevent a breach.
Likely to cause damage or distress Data related to the physical and emotional well-being of a child.

Links

View PDF of the Norfolk Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Norfolk Council Monetary Penalty Notice (Via ICO Website)

Bolton Council

Posted on by

What

Loss of sensitive personal data.

How much

“Several”

Why

A rucksack contained hard copy documentation relating to several individuals was stolen from a keyworker’s car. A second incident was also reported during when an email was sent in error to several hundred people containing a full occupational health form for one player.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that hard copy documentation is only removed from the office or secure storage when absolutely necessary and must contain the minimum amount of personal data required. Thorough risk assessments are to be completed for all mobile working arrangements.

Reason for action

  • In the case of the first incident it was discovered that the carrying significantly more paperwork than necessary without the knowledge of management. Investigations revealed that despite the fact that many employees are predominantly mobile workers the implications of how to handle data in a mobile environment had been insufficiently considered. Employees had however received appropriate training relating to the removal of personal data from the office.
  • In the second incident it transpired that autofill is often used when sending emails and that existing email groups do not differentiate between internal and external addresses.

When

10 February 2012.

Links

View PDF of the Bolton Council Undertaking (Via ICO Website)

View PDF of the Bolton Council Undertaking (Breach Watch Archive)

Dacorum Borough Council

Posted on by

What

Loss of sensitive personal data.Loss of sensitive personal data.

How much

1,000 records.

Why

An unencrypted hard drive was stolen from an adventure playground following a burglary. It contained registration documents relating to about 1000 children who have attended the playground.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of the data controller’s policy for the storage and use of personal data. Personal data must not be retained any longer than relevant and must be disposed of in a secure manner once no longer needed.

Reason for action

The Commissioner’s enquiries revealed that the registration documents were stored on the desktop and were not password protected. The previous password protection had been removed when a member of staff left the Council and was not restored. It was also revealed that no annual review of the database had been performed, resulting is registration documents not being deleted in line with the Council’s retention policy.

When

10 February 2012.

Links

View PDF of the Dacorum Borough Council Undertaking (Via ICO Website)

View PDF of the Dacorum Borough Council Undertaking (Breach Watch Archive)

Brighton and Hove Council

Posted on by

What

Loss of sensitive personal data.

How much

Records relating to up to seven families.

Why

Theft of an unencrypted laptop during a burglary and on a separate occasion details of an employee’s income and salary deductions was accidently emailed to 2,821 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that that all portable media devices are suitably encrypted and appropriate administrative measures are put into place to control employee use of email groups.

Reason for action

The laptop was stolen from the home of a sessional worker, a casual employee under contract for a specific assignment. The data sent to the worker was supposed to have been anonymised, but had not been.

When

10 February 2012.

Links

View PDF of the Brighton and Hove Council Undertaking (Via ICO Website)

View PDF of the Brighton and Hove Council Undertaking (Breach Watch Archive)

Basingstoke and Deane Borough Council

Posted on by

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)