Tag Archives: Multiple Breaches

Mansfield District Council

Posted on by

Breach details

What Personal data of housing benefit claimants was disclosed to the wrong housing association.
How much An undisclosed number of records.
When August 2009 to November 2012
Why Correspondence containing personal data was sent in error by the council’s Revenues and Benefits service to a Mansfield housing association over an extended period.

BW Comments

What is interesting about this breach is that it was reported to the ICO by the housing authority that received the data in error, and not Mansfield Council. I suspect that the housing association will first have contacted the Council and after that had no effect on the incorrectly addressed correspondence (the breach continued for three years), alerted the Commissioner. The Council’s real failing was to not fix the problem when told about it.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 25 January 2013
Details Employees and any other staff with access to personal data must be made aware of, and trained in, the policy for storage and use of personal data. Training must be provided to contractors as well as staff, and records of training to be maintained.

BW Observations

The breach was almost certainly due to administrative human error; however our view is that the enforcement action was taken as a result of the council not fixing the problem when it was initially alerted. The core problem was that the council didn’t have a sufficiently robust plan to identify and rectify a data breach when it was first reported. The undertaking should have also included a requirement for the Council to develop and test a breach response plan, which identified data breaches and ensured they were rectified.

Links

View PDF of the Mansfield District Council Undertaking (Breach Watch Archive)
View PDF of the Mansfield District Council Undertaking (Via ICO Website)

St George’s Healthcare NHS Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much Two records.
When 2011
Why Two letters containing confidential and highly sensitive personal data, relating to the subject’s medical condition, were sent to the wrong address, at which the subject had resided at 5 years previous. The patient’s current address had been provided when the patient was first referred to the data controller for a medical examination. It was also logged into the NHS SPINE, which was not aligned with iClip, the local patient administrative program. Staff involved with compiling the incorrectly addressed letters had received iClip training and were aware that addresses were not always in sync with SPINE, but no verbal checks of the data subject’s address were made.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 12 July 2012

Why the regulator acted

Breach of act Staff were not trained in the importance of checking names and addresses and the PDS function on iClip could be bypassed.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases and it was known that many staff found the iClip system difficult to use and tended to bypass or disable the PDS.
Likely to cause damage or distress Medical data.

Links

View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Via ICO Website)

Belfast Health and Social Care Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much About 10,000 records.
When May 2010
Why Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 225,000
When 19 June 2012

Why the regulator acted

Breach of act Site was insufficiently secure to prevent intrusion.
Inappropriate organisational and technical measures.
Known or should have known The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.
Likely to cause damage or distress Medical records and financial data of employees.

Links

View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Via ICO Website)

Telford & Wrekin Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal data.
How much Two records over two incidents.
When 31 March 2011
Why On the first occasion a Social Worker sent a Social Care Core Assessment report to the child’s sibling instead of the mother. A second incident was reported by the Council to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother, in this incident the authority decided to move the children to a different foster carer.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 6 June 2012

Why the regulator acted

Breach of act There was no formal checking process in place to prevent documents being sent to the wrong recipients . Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases on a daily basis and were aware of the sensitivity of the data being handled. Two separate incidents occurred in 2 months.
Likely to cause damage or distress Data relating to vulnerable child in foster care.

Links

View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Via ICO Website)

South London Healthcare NHS Trust

Posted on by

What

Loss of sensitive personal data.

How much

Approximately 750 records

Why

Two unencrypted memory sticks were lost, one two separate occasions. A clipboard of ward lists was left in a grocery store and some patient paper files were inadequately secured when not in use.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices containing personal data are encrypted to a sufficient standard and that staff are made aware of, and trained in, data protection policies.

Reason for action

On all of these occasions, staff were either unaware that the memory sticks they used should have been encrypted, or had removed or failed to secure data in breach of in-place policies.

When

11 Apr 2012

Links

View PDF of the South London Healthcare NHS Trust Undertaking (Via ICO Website)

View PDF of the South London Healthcare NHS Trust Undertaking (Breach Watch Archive)

Fairbridge

Posted on by

What

Loss of personal data on two occasions.

How much

325 and 16 records.

Why

On two separate occasions password protected, but unencrypted laptops were lost. One was left on a bus and the second was reported missing by an employee while boarding a plane in a Spanish airport.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted.

Reason for action

Whilst neither laptop has been recovered to date they did not contain any sensitive personal data. Since the incident occurred the data controller has ensured the encryption of mobile devices that contain personal data and provided all employees with data protection training.

When

10 February 2012.

Links

View PDF of the Fairbridge Undertaking (Via ICO Website)

View PDF of the Fairbridge Undertaking (Breach Watch Archive)

Basingstoke and Deane Borough Council

Posted on by

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)

Midlothian Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal data on five separate occasions.
How much Five records.
When March 2011
Why Personal data relating to children and their carer were sent to the wrong recipients on five separate occasions.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 140,000
When 30 01 2012

Why the regulator acted

Breach of act Multiple letters were sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the first breach the risk was clear, yet 4 more breaches occurred over the next month.
Likely to cause damage or distress Personal information of vulnerable individuals.

Links

View PDF of the Midlothian Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Midlothian Council Monetary Penalty Notice (Via ICO Website)

North Somerset Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal information.
How much Two records.
When 12 November 2010
Why A council employee accidently sent five emails (on separate occasions), two of which contained highly sensitive information relating to a child’s serious case review, to the wrong NHS employee.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 28 November 2011

Why the regulator acted

Breach of act Staff not given sufficient information governance training and management should have signed off on emails, ensuring that all sensitive data was encrypted.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to handling confidential and sensitive data and should have been aware of the “self evident” risks of drop down email menus. Repeated breaches demonstrate this fact.
Likely to cause damage or distress Data related to vulnerable individuals and could be misused.

Links

View PDF of the North Somerset Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the North Somerset Council Monetary Penalty Notice (Via ICO Website)

University Hospitals Coventry & Warwickshire NHS Trust

Posted on by

What

Loss of sensitive personal data on two occasions.

How much

One record and 18 records.

Why

A patient’s medical record was allegedly found in a waste bin outside Coventry’s University Hospital by a member of the public. Two months previously the records of 18 patients were found in a public waste bin in a residential apartment block.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the storage, use, disposure and removal from the premises of personal information are made clear to staff and that compliance is monitored.

Reason for action

The short time between the two incidents suggested that insufficient measures were being taken to safeguard personal data.

When

27 October 2011.

Links

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Via ICO Website)

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Breach Watch Archive)