Borough of Poole

Posted on 19 April 2011 by BreachMaster

What

Loss on sensitive personal information on three occasions.

How much

Three records

Why

Faxes containing personal information were erroneously sent to the wrong number.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are sufficiently training in both the usage of and policies relating to the transmission of data via, fax machines.

Reason for action

Insufficiently clear instructions and training was provided to staff.

When

19 April 2011.

Links

View PDF of the Borough of Poole Undertaking (Via ICO Website)

View PDF of the Borough of Poole Undertaking (Breach Watch Archive)

Royal Cornwall Hospitals NHS Trust.

Posted on 4 April 2011 by BreachMaster

What

Inappropriate disclosure of personal information on two separate occasions.

How much

Two records.

Why

The information was sent out in response to a third party Subject Access Request, inappropriately.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made familiar with procedures and policies relating to Subject Access Requests.

Reason for action

Insufficient training combined with a large volume of subject access requests lead to the error.

When

04 April 2011.

Links

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Breach Watch Archive)

Hertfordshire County Council

Posted on 22 November 2010 by BreachMaster

Breach details

What	Loss of highly sensitive personal information by fax.
How much	47 records.
When	11 June 2010
Why	Two faxes were sent to the wrong recipients.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 100,000
When	22 November 2010

Why the regulator acted

Breach of act	Faxes sent to the wrong recipient. Inappropriate organisational and technical measures.
Known or should have known	The ICOs advice on faxing protocols after the first incident were ignored, but the risk had been made clear.
Likely to cause damage or distress	Data relating to vulnerable children.

Links

View PDF of the Hertfordshire County Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Hertfordshire County Council Monetary Penalty Notice (Via ICO Website)

Birmingham Children’s Hospital NHS Foundation Trust

Posted on 14 July 2010 by BreachMaster

What

Loss of sensitive personal information.

How much

17 records.

Why

Theft of two unencrypted laptops from the Medical Day Centre.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that additional measures are put to in place to ensure that data security policies are adhered to consistently. Any portable media must be suitably encrypted, or, if this is impossible due to the functions required, physical security must compensate for the additional risk.

Reason for action

This event followed a previously self reported security breach. The laptops were unencrypted and insufficiently secure.

When

14 July 2010

Links

Birmingham Children’s Hospital NHS Foundation Trust (Via ICO Website)

Birmingham Children’s Hospital NHS Foundation Trust (Breach Watch Archive)

West Berkshire Council

Posted on 27 May 2010 by BreachMaster

What

Loss of sensitive personal data.

How much

Unknown.

Why

Loss of an unencrypted USB stick containing sensitive personal data. This was the second data security incident reported by the data controller within 6 months.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store sensitive personal data are encrypted to a sufficient standard.

Reason for action

The USB stick had been used in 2005 by a member of the data controller’s social work department and was not encrypted or password-protected. Although the data controller had provided encrypted USB sticks since 2006 it never required the return of previously used unencrypted media devices.

When

27 May 2010

Links

View PDF of West Berkshire Council’s Undertaking (Via ICO Website)

View PDF of West Berkshire Council’s Undertaking (Breach Watch Archive)

King’s College London

Posted on 5 May 2010 by BreachMaster

What
Loss of sensitive personal data.

How much
About 200 records.

Why
A mini-Mac computer and several laptops were stolen from an academic office of the data controller in a teaching hospital.

In a second incident several months later two laptops were stolen from another teaching hospital.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
None of the machines were encrypted and it was discovered that the laptops were not normally locked away or physically secured when not in use. Enquiries revealed that staff training and awareness in relation to data protection responsibilities were inadequate. A similar incident had occurred in June 2009 but the data controller did not appear to have incorporated lessons learnt from that incident sufficiently into its wider policies and procedures.

When
5 May 2010

Links
View PDF of the King’s College London Undertaking (Breach Watch Archive)

Warwickshire County Council

Posted on 19 March 2010 by BreachMaster

What
Loss of sensitive personal data.

How much
A few records.

Why
Two unencrypted laptops containing personal data relating to staff and pupils at a particular school were stolen. In a separate incident an unencrypted USB stick was lost or stolen from the administrative office of an education centre.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptops recorded data relating to two schools which were merging and had not been encrypted as they were only being used as a temporary measure in an office environment. Enquiries revealed that there were insufficient physical security measures in place and that the data controller was carrying out an incomplete program of encryption of portable devices.

The USB stick held minimal personal data, but an internal investigation revealed a lack of awareness of data protection requirements among staff and recommended further training and use of encrypted media.

When
19 March 2010

Links
View PDF of the Warwickshire County Council Undertaking (Breach Watch Archive)

St Albans City and District Council

Posted on 5 March 2010 by BreachMaster

What
Loss of personal data.

How much
15,333 records.

Why
Four unencrypted laptops were stolen, one of which contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data. Adequate security checks must be carried out on contractor’s staff.

Reason for action
The laptop containing personal data was unencrypted (yet met Council IT security policy at the time) and contained redundant election data that had not been removed in a reasonable amount of time. It was later taken by contracted IT staff and left unsecured, later discovered to be missing along with 3 other laptops.

When
5 March 2010

Links
View PDF of the St Albans City and District Council Undertaking (Breach Watch Archive)

Alzheimer’s Society

Posted on 1 February 2010 by BreachMaster

What
Loss of sensitive personal data.

How much
Approximately 1,000 records.

Why
Several unencrypted laptop computers, one of which contained personal data, were stolen from the data controller’s Cardiff Office during a burglary.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptops had been returned to the office for encryption, but this had not yet taken place when the theft occurred. The laptops were neither physically secured by cable locks, nor locked away securely. This was the third data security incident reported to the Commissioner during 2009. It was also revealed that staff did not receive any formal data protection training.

When
1 February 2010

Links
View PDF of the Alzheimer’s Society Undertaking (Breach Watch Archive)

NHS Grampian

Posted on 3 September 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
About 1,700 records.

Why
Three separate incidents.

The inappropriate distribution of an email containing sensitive personal data relating to an individual.
Documents containing personal data of around 200 patients and staff were taken from a confidential waste bag.
An unencrypted laptop containing the personal data of over 1500 patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transport personal data are suitably encrypted. Any personal data stored on portable devices must be backed up to the network server on a daily basis. Confirmation of success is to be obtained from the IT department and any failure corrected without delay. All staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.

Reason for action

A senior nursing manager distributing an email from another senior manager to over 50 other staff without first consulting either the sender of the data controller’s Information Governance Manager.
Documents were removed from a confidential waste bag held at a nursing station on the labour ward and sent to the data controller’s Chief Executive, claiming they’d been found in a skip. Investigations revealed that access to this waste could have been gained by staff, patients and even visitors. Many staff were unaware of the correct policies for disposing of sensitive waste.
An unencrypted laptop containing the entire database of patients suffering from a particular disease was stolen from a locked office. The laptop had not been successfully backed up to the data controller’s network server in the month prior to the theft, meaning that a small amount of this data was only stored on the laptop.
Finally the enquiries into these incidents revealed that certain staff were using home computers for work-related tasks involving personal data and then transferring that work via unencrypted USB sticks, in breach of the data controller’s policies and procedures.

When
3 September 2009

Links
View PDF of the NHS Grampian Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500