Tag Archives: Loss of Sensitive Personal Data

E*Trade Securities Ltd.

Posted on by

What

Loss of sensitive personal data.

How much

608 records.

Why

Files containing personal data relating to clients in the Middle East were identified as missing from storage in the UK having been couriered from ETSL-Dubai.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any processing of personal data carried out by a data processor on behalf of the data controller is carried out under a contract made and evidenced in writing and that a detailed record of all personal data couriered internally is kept.

Reason for action

The investigation revealed that the data controller had no contractual agreement “made and evidenced in writing” with their UK data processor, nor had instructions on the security and processing of this personal data provided.

When

03 February 2012.

Links

View PDF of the E*Trade Securities Ltd. Undertaking (Via ICO Website)

View PDF of the E*Trade Securities Ltd. Undertaking (Breach Watch Archive)

Midlothian Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal data on five separate occasions.
How much Five records.
When March 2011
Why Personal data relating to children and their carer were sent to the wrong recipients on five separate occasions.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 140,000
When 30 01 2012

Why the regulator acted

Breach of act Multiple letters were sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the first breach the risk was clear, yet 4 more breaches occurred over the next month.
Likely to cause damage or distress Personal information of vulnerable individuals.

Links

View PDF of the Midlothian Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Midlothian Council Monetary Penalty Notice (Via ICO Website)

Chartered Institute of Public Relations

Posted on by

What

Loss of sensitive personal data.

How much

30 records.

Why

30 Membership forms were lost on a train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a document is created that clearly outlines all employees’ responsibilities in terms of the storage, transmission, use and disposal of personal data. All necessary amendments must be made by 31 January 2012

Reason for action

The organisation did not have a written policy in place for handling personal data outside of the office at the time of incident.

When

18 January 2012.

Links

View PDF of the Chartered Institute of Public Relations Undertaking (Via ICO Website)

View PDF of the Chartered Institute of Public Relations Undertaking (Breach Watch Archive)

Praxis Care Limited

Posted on by

What

Loss of sensitive personal data.

How much

160 records.

Why

An unencrypted USB memory stick used as a backup and transfer device by an employee was lost on the Isle of Man.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all personal media devices used to store or transport personal data are sufficiently encrypted.

Reason for action

The data controller acted swiftly to ascertain exactly what data was on the missing USB stick and appropriate support was provided to the effected subjects, No reports of adverse consequences from the data loss have been received.

When

18 January 2012.

Links

View PDF of the Praxis Care Limited Undertaking (Via ICO Website)

View PDF of the Praxis Care Limited Undertaking (Breach Watch Archive)

Powys County Council

Posted on by

Breach details

What Disclosure of sensitive personal information.
How much 19 records.
When 4 February 2011
Why A member of the public received a children protection report on an unrelated child along with a document concerning her own child due to an employee of the data controller accidentally mixed in another colleague’s work when collecting printing from a shared printer. Although the Data Controller had said that they considered Data Protection training vital they had not made the completion of such training mandatory. This was the second of such incidents.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 130,000
Enforcement Notice Issued to ensure that by 31 March 2012 all staff with access to personal data must undergo full data protection training and that an accurate record must be kept of this training
When 6 December 2011

Why the regulator acted

Breach of act Data sent to an incorrect recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the previous breach the risk was clear, but insufficient measures were taken to prevent this second breach.
Likely to cause damage or distress Data related to a child and has the potential for misuse.

Links

View PDF of the Powys County Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Powys County Council Monetary Penalty Notice (Via ICO Website)
View PDF of the Powys County Council Enforcement Notice (Breach Watch Archive)
View PDF of the Powys County Council Enforcement Notice (Via ICO Website)

Alan M Casson & Associates

Posted on by

What

Loss of sensitive personal data.

How much

8,000 records.

Why

Theft of two unencrypted laptops and back up media during a burglary of premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that physical security measures are sufficient to prevent unauthorised access to persona data and that all portable media devices must be encrypted to a suitable standard.

Reason for action

While the laptops were kept in a locked cupboard and the backup media in a safe (which was stolen) the data controller was in the process of upgrading their security to include encryption, but the theft occurred before this could be put into practice.

When

06 December 2011.

Links

View PDF of the Alan M Casson & Associates Undertaking (Via ICO Website)

View PDF of the Alan M Casson & Associates Undertaking (Breach Watch Archive)

Godalming College

Posted on by

What

Inappropriate disclosure of sensitive personal data.

How much

Unknown.

Why

An email with an attachment containing sensitive personal data was inadvertently sent to lower-sixth form students rather than their tutors. The email was only intended to contain a link to the attachment.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any documents containing personal data relating to students will only be provided to staff on a “need to know” basis and will not, in any event, be transmitted via email unless encrypted.

Reason for action

Although efforts were made to delete or recall the email, some students had already saved or forwarded the attachment and some media publicity resulted.

When

06 December 2011.

Links

View PDF of the Godalming College Undertaking (Via ICO Website)

View PDF of the Godalming College Undertaking (Breach Watch Archive)

Worcestershire County Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal information.
How much “A large number” of records.
When Unknown
Why A member of staff accidently clicked on an additional contact list while sending out an email intended for internal use and so two spreadsheets containing sensitive personal information were sent to 23 registered care providers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 28 November 2011

Why the regulator acted

Breach of act Staff were not provided with sufficient training and internal and external email distribution lists were not clearly differentiated.
Inappropriate organisational and technical measures.
Known or should have known Employees routinely dealt with confidential and sensitive personal data and manages should have realised the potential for human error when selecting emails lists.
Likely to cause damage or distress Details of vulnerable young adults.

Links

View PDF of the Worcestershire County Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Worcestershire County Council Monetary Penalty Notice (Via ICO Website)

North Somerset Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal information.
How much Two records.
When 12 November 2010
Why A council employee accidently sent five emails (on separate occasions), two of which contained highly sensitive information relating to a child’s serious case review, to the wrong NHS employee.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 28 November 2011

Why the regulator acted

Breach of act Staff not given sufficient information governance training and management should have signed off on emails, ensuring that all sensitive data was encrypted.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to handling confidential and sensitive data and should have been aware of the “self evident” risks of drop down email menus. Repeated breaches demonstrate this fact.
Likely to cause damage or distress Data related to vulnerable individuals and could be misused.

Links

View PDF of the North Somerset Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the North Somerset Council Monetary Penalty Notice (Via ICO Website)

London Borough of Southwark

Posted on by

What

Loss of sensitive personal data.

How much

7,200 records.

Why

An unencrypted iMac and paper records were found by a member of the public in a skip being used to cleanse a decommissioned and vacant property that had previously been part of a complex previously owned by the data controller.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will demonstrate adherence to the action plans to deal with the issue that it has presented to the data commissioner and that it will honour its invitation for the ICO to conduct a data protection audit.

Reason for action

Although the Data Controller demonstrated plans to deal with the breach, the iMac had been missing since 2003 and was unencrypted and any member of the public would have been able to remove the data contained on it.

When

21 November 2011.

Links

View PDF of the London Borough of Southwark Undertaking (Via ICO Website)

View PDF of the London Borough of Southwark Undertaking (Breach Watch Archive)