North East Lincolnshire Council

Breach details

What Loss of an unencrypted USB stick containing personal and sensitive data relating to children with special educational needs including names, DOB and reports on mental and physical disabilities.
How much 286 records.
When 01 July 2011.
Why A special educational needs teacher working for the Special Educational Needs Support Service forgot to remove an unencrypted USB stick containing reports on 286 children from a laptop in the Council’s offices on leaving the office at the end of the day on 01 July. When the teacher tried to retrieve the USB stick they discovered it was gone and it has not been recovered to date. The USB stick had been issued in 2005 in order for the teacher to access neccessary data on their visits to schools and community locations that they performed during the majority of their time. An information security policy which had been in draft since 2009 was introduced in March 2011, four months prior to the incident, and specified that removable media such as USB sticks “must be encrypted”. However, unencrypted USB devices were not recalled until immediately after the incident and staff could only encrypt their devices through volunteer initiatives such as a ‘removable media pilot’ and an ‘encryption on request’ service. The member of staff in question had confirmed that they read and understood the new policy in June and had possibly received Data Protection Act e-learning training, but the training was non mandatory and cannot be confirmed.

Regulatory action

Regulator ICO
Action Monetary penalty of £80,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: appropriate measures were not taken to prevent the loss of personal data. In particular there was a lack of training on the importance of using encrypted devices, no technical controls restricting downloads, and no effective policies and controls in place.
Known or should have known Staff were used to dealing with sensitive personal information on a daily basis and had routinely stored this data on unencrypted USB sticks since at least 2005. The risks of using unencrypted USB sticks was identified in 2009 but not forbidden until 2011, and even then the Council continued to allow staff to use unencrypted devices in breach of its own policy. Although there was an encryption service available from this point it was voluntary and efforts to raise awareness were inadequate.
Likely to cause damage or distress The children and families concerned would suffer substantial distress knowing that their sensitive data may have been disclosed to third parties or could be in future, even though it appears that the data has not been disclosed thus far. If the data is accessed by untrustworthy third parties it could expose the children to damage to their health, education and personal relationships.

Ministry of Justice

Breach details

What Emails containing sensitive personal data concerning prison inmates accidentally sent to members of the public. This information included coded offences, addresses, identifying physical characteristics and location within the prison.
How much Three emails containing the details of 1,182 prisoners.
When 04 July, 11 July and 01 August 2011.
Why Each day HMP Cardiff manually transfers prisoner details from their network system Quantum onto a biometrics database in order to facilitate visits and other prisoner movements. The data is copied and pasted through Windows Explorer and thus can remain on the clipboard of Quantum. On 01 August the prisoner details were accidentally attached to an email to a member of the public booking a visit to a family member in HMP Cardiff. The individual reported this incident the next day and it was only at this point that the previous two emails came to light as they had not been reported by their recipients or noticed by the prison. Each email was sent by the same recently appointed booking clerk. Shortly after the breach was reported each recipient confirmed in writing that the data had not been disseminated further and was fully deleted; physical access was allowed to confirm this for two of the recipients and the other had already double-deleted the message and attachment.

Regulatory action

Regulator ICO
Action Monetary penalty of £140,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: there should have been a more secure method of carrying out routine transfers of high volumes of personal data. More effective training and supervision should also have been provided, along with clear written procedures for the data transfers.

The monetary penalty notice has been imposed to promote compliance with the Act and standardisation across the prison service to prevent similar incidents occurring elsewhere.

Known or should have known As the Ministry of Justice routinely handles sensitive personal information and carries out high volume daily data transfers it should have been obvious that a breach could result in substantial distress and that there was a potential for human error in the absence of technical measures, written guidelines and appropriate training.
Likely to cause damage or distress The coded offences were deemed by the Commissioner to be particularly likely to cause damage or disress as almost all of the coded offences are easily recognisable. Fortunately the emails were only sent to one person on each occasion but had the data got into the wrong hands, such as an inmate’s rival, it would have raised the level of distress. The Prison decided not to disclose the breach to the prisoners as those at risk of self-harm might have suffered additional anxiety, confirming that some prisoners would suffer greater distress than others.

Hillingdon Hospitals NHS Foundation Trust

Breach details

What Cancer referral forms containing sensitive clinical data found in the possession of a local newspaper.
How much Four records.
When Reported on 05 July 2012.
Why The cancer referral forms were prepared for transfer between The Hillingdon Hospital and Mount Vernon Hospital but failed to arrive through the internal mail system. Staff were aware the documents had not arrived but did not escalate the incident. It is unclear at what point the documents left the possession of the Trust and how they were acquired by the newspaper.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 07 October 2013.
Details The Trust is to implement breach reporting mechanisms and manage an escalation process if personal data does not arrive at its destination. Staff are to be made aware of all procedures and requirements.

Foyle Women’s Aid

Breach details

What Confidential client information contained in a folder was left at a cafe.
How much A folder containing information on one case.
When June 2012
Why A lack of effective controls and procedures for taking information out of the office contributed to the loss of this personal data. Excessive information was also being transported as the folder contained personal data not relevant to the scheduled meetings. However, there were general polices and procedures in place and the support worker had received relevant training. The support worker was also acting against previous instructions given by Foyle Women’s Aid.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 13 August 2013.
Details Foyle Women’s Aid will immediately implement a formal policy covering the use of personal data outside of the office and provide training to their staff; compliance with these policies shall be regularly monitored. Portable devices used for the storage and transmission of personal data must be encrypted. Physical and other security measures must also be implemented to protect against unauthorised access to personal data.

Northern Health and Social Care Trust

Breach details

What Personal data including information on physical or mental health.
How much An unknown number of incidents including the faxing of confidential service user information to the wrong recipient and the inappropriate disclosure of personal data to professionals working with the Trust.
When An unknown period, dating to at least May 2011.
Why A number of security incidents led to the Commissioner’s investigation into the Trust. It was discovered that most of the staff involved in these incidents had not received the supposedly mandatory Information Governance training, and the Trust failed to monitor and enforce staff completion of training. This led to staff being unaware of Information Governance policies.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 13 August 2013.
Details From the date of this undertaking staff are to be made aware of policies regarding the storage and use of personal data and are given appropriate training in this and in dealing with security breaches. Measures should be put in place to ensure that staff attend all mandatory training. In addition, portable devices used to store personal data must be encrypted.

Nationwide Energy Services and We Claim You Gain

Breach details

What Breach of the Privacy and Electronic Communications Regulations (PECR).
A high volume of unsolicited marketing calls from two companies both owned by “Save Britain Money Ltd” to consumers that had registered with the Telephone Preference Service (TPS) that continued despite customer complaints and requests to unsubscribe.
How much An unknown number of direct marketing calls resulting in over 2,700 complaints to the TPS or ICO.
When May 2011 – December 2012
Why Did not screen outbound calls against the TPS register.

Regulatory action

Regulator ICO
Action Nationwide Energy Services: Monetary penalty of £ 125,000

We Claim you Gain: Monetary penalty of £ 100,000
When 17 June2013

Why the regulator acted

Breach of act Breach of Regulation 21: repeatedly ignored provisions that marketing calls should not be made to individuals who had registered with TPS.
Known or should have known Both companies had been repeatedly contacted by the TPS and ICO and were made aware they were in contravention of the Act. The TPS contacted Nationwide Energy Services on 1,601 occasions and We Claim You Gain 1,070 times.
Likely to cause damage or distress The sheer volume of complaints should have indicated that distress would be caused and individual complaints to the ICO detailed varying degrees of actual distress.

North Staffordshire Combined Healthcare NHS Trust

Breach details

What Sensitive personal data (medical) faxed to an incorrect recipient.
How much 3 records.
When August and September 2011
Why Three faxes containing just about every category of sensitive personal data were sent to the wrong recipient. This breach of confidentiality occurred despite the trust having both a secure fax environment and appropriate procedures in place which included call-ahead and a requirement to use pre-programmed destinations. The breach occurred because members of staff were unfamiliar with the policy, so didn’t call ahead and manually dialled the (wrong) recipient’s number.

Regulatory action

Regulator ICO
Action Monetary penalty of £55,000
When 11 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the trust had insufficient management controls and did not provide the appropriate training for the staff.
Known or should have known The trust was aware that there was risks sending information by fax because it had introduced the safe haven and best practice. It should have known that the best practice guidelines needed to be backed up by training and management controls.
Likely to cause damage or distress The Commissioner’s usual argument that the data subjects, some of who were vulnerable adults, may have suffered distress knowing that their medical data had been read by an unauthorised third party.

Glasgow City Council

Breach details

What Personal data, including some bank account details, on two stolen unencrypted laptops.
How much At least 20,143 records.
When 28 May 2012
Why Two unencrypted laptops were stolen from an office in the process of being refurbished. Employee 1 had locked up her laptop and left the key in Employee 2’s drawer. Employee 2 put his laptop in his storage drawer but failed to lock it. Both laptops were stolen. Employee 2’s laptop contained the council’s creditor payment history file, including 20,143 personal names ad addresses and 6,069 bank account details.
About 74 other unencrypted laptops are unaccounted for, of which six are known to have been stolen.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 04 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate technical measures to prevent the loss of personal data from laptops, such as implementing port control and encrypting laptops.
Known or should have known In spite of enforcement action taken against the Council in 2010 concerning failings related to unencrypted laptops, unencrypted laptops were still in use in 2012, in breach of the Council’s own policy. It should have been obvious the risks were increased by the physical insecurity of the offices undergoing refurbishment. The Commissioner also highlighted his own well-known guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress As usual, the Commissioner’s argument is that data subjects are likely to have suffered from substantial distress knowing that their personal data may be disclosed to third parties who have no right to see that information. Additionally if the data is disclosed to ‘untrustworthy third parties’ there is the potential that the data subjects may be exposed to identity theft.

DM Design Bedrooms

Breach details

What Serious breach of the Privacy and Electronic Communications Regulations (PECR).
A high volume of unsolicited marketing calls to consumers that had registered with the Telephone Preference Service (TPS) that continued despite customer complaints and requests to unsubscribe.
How much An unknown number of direct marketing calls resulting in 1,945 TPS complaints and an unspecified number of complaints directly to the ICO.
When June 2011 to November 2012
Why Ignored requirement to screen call lists against the Telephone Preference Service (TPS) or maintain an opt-out register.

BW Comments

After initial contact from the ICO, the unsolicited calls continued and some reported to the Commissioner were described as aggressive.

Regulatory action

Regulator ICO
Action Monetary penalty of £90,000
When 20 March 2013

Why the regulator acted

Breach of act Breach of Regulation 21: repeatedly ignored provisions that marketing calls should not be made to individuals who had registered with TPS.
Known or should have known Concerns over PECR obligations were first raised by the Commissioner in 2004. The volume of complaints made before and after the Commissioner’s letter of May 2012 would have made the company aware that they were continually breaching regulations.
Likely to cause damage or distress The overall level of distress was assessed as substantial due to the very large numbers of individuals affected. A small number of individuals also personally suffered substantial levels of distress.

BW Observations

That DM Design breached the PECR by not screening against the the TPS register and maintaining their own opt-out list is not debatable. The volume of calls and complaints are significant (although we are not told what the average or maximum level of complaints are to the TPS in respect of a company other than “they [DM Design] were one of the organisations about which the most complaints were received”). What’s interesting is the ICO again used the same justification as the Tetrus Telecommunications MPN to determine the s55A(1)(b) ‘substantial damage or distress test’ – that although the distress in each individual case was not considerable, the cumulative effect of the distress caused by the totality of all calls made in contravention of PECR met the Commissioner’s threshold of substantial distress.

Mansfield District Council

Breach details

What Personal data of housing benefit claimants was disclosed to the wrong housing association.
How much An undisclosed number of records.
When August 2009 to November 2012
Why Correspondence containing personal data was sent in error by the council’s Revenues and Benefits service to a Mansfield housing association over an extended period.

BW Comments

What is interesting about this breach is that it was reported to the ICO by the housing authority that received the data in error, and not Mansfield Council. I suspect that the housing association will first have contacted the Council and after that had no effect on the incorrectly addressed correspondence (the breach continued for three years), alerted the Commissioner. The Council’s real failing was to not fix the problem when told about it.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 25 January 2013
Details Employees and any other staff with access to personal data must be made aware of, and trained in, the policy for storage and use of personal data. Training must be provided to contractors as well as staff, and records of training to be maintained.

BW Observations

The breach was almost certainly due to administrative human error; however our view is that the enforcement action was taken as a result of the council not fixing the problem when it was initially alerted. The core problem was that the council didn’t have a sufficiently robust plan to identify and rectify a data breach when it was first reported. The undertaking should have also included a requirement for the Council to develop and test a breach response plan, which identified data breaches and ensured they were rectified.