Stoke-on-Trent City Council

Breach details

What Loss of sensitive personal information.
How much 11 records.
When 14 December 2011
Why 11 unencrypted emails relating to a child protection case were sent to the wrong email address by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
Enforcement notice issued to ensure that a training program to make staff aware of data protection security procedure is arranged within 35 days.
When 25 October 2012

Why the regulator acted

Breach of act Failure to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to train employees appropriately and provide a secure means of sending email.
Known or should have known Staff were used to handling confidential and sensitive personal data and the danger of sending unencrypted email, which the data controller was aware was occuring, should have been self evident.
Likely to cause damage or distress Data was confidential and highly sensitive and related to an ongoing legal case.

Norwood Ravenswood Ltd

Breach details

What Loss of sensitive personal data.
How much Four records.
When 5 December 2011
Why A Social Worker left background reports relating to four young children outside the home of prospective adopters in a concealed place, since they were not in. When the prospective adopters arrived home about 30 minutes later the package had disappeared..

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 10 October 2012

Why the regulator acted

Breach of act Despite an existing policy, there was no specific guidance relating to sending personal data to prospective adopters. The social worker in question had not recieved any data protection training, despite a commitment to it being provided existing in the data controller’s policy.
Known or should have known The data controller had an overarching data protection policy which staff were aware of, even if specific guidence was not given. The sensitivity of staff’s work would have been self evident.
Likely to cause damage or distress The background reports contained detailed, confidential and highly sensitive personal data relating to the children and their birth families, including medical histories and details of any abuse or neglect. At this time, the reports have not been found.

Central London Community Healthcare NHS Trust

Breach details

What Inappropriate disclosure of sensitive personal data.
How much 59 records.
When 28 March 2011
Why On 45 occasions over a number of weeks inpatient lists were accidentally faxed to a member of the public, when it was believed they were bring faxed to the appropriate number. Procedures were in place to confirm the arrival of faxed lists, however miscommunication meant that only one reception of the lists was being confirmed, while a second fax number actually belonged to a member of the public.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 21 May 2012

Why the regulator acted

Breach of act Inpatient lists faxed to incorrect recipients. Lack of sufficient policies to prevent such an event. Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with impatient data and were aware of its sensitivity, hence having fax protocols.
Likely to cause damage or distress Medical data of patients.

BW Observations

This was the first Monetary Penalty Notice to be appealed to the Information Tribunal. The appeal was heard in December 2012 and the decision released on 15 Jan 2013. The appeal was rejected.

Safe and Secure Insurances Services Limited

What

Loss of personal data.

How much

Unknown

Why

A hard drive purchased from the Internet contained personal data relating to S&S clients.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any redundant hard drives and removable media devices used to store personal data are forensically wiped or completely destroyed before being disposed of or reused. The details of any such items must be logged.

Reason for action

S&S could not confirm how the hard drive had ended up in the public domain. It also transpired that the data controller did not have an adequate data protection policy in place at the time of the incident and further, that it did not have a drive disposal procedure. The data controller did not keep a record of any decommissioned equipment.

When

25 Apr 2012

Links

View PDF of the Safe and Secure Insurances Services Limited Undertaking (ICO Website)

View PDF of the Safe and Secure Insurances Services Limited Undertaking (Breach Watch Archive)

St Georges Healthcare NHS Trust

What
Loss of sensitive personal data.

How much
22,000 records.

Why
6 unencrypted laptops containing the personal data of a number of patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data. Mobile media devices must be encrypted to a suitable standard. Adequate checks must be carried out on contractor’s staff. All staff must receive adequate data protection training.

Reason for action
Due to network connection problems patient data had been stored on laptop C drives contrary to Trust policy and was not encrypted.

When
27 March 2009

Links
View PDF of the St Georges Healthcare NHS Trust Undertaking (Breach Watch Archive)

London Ambulance Service NHS Trust

What

Loss of sensitive personal data.

How much

Unknown.

Why

Theft of unencrypted laptop from a staff member’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff members are made aware sensitive personal data is not to be forwarded to personal email accounts under any circumstances.

Reason for action

Data was emailed by a staff member to a personal account and downloaded onto a personal, unencrypted, laptop.

When

07 September 2011.

Links

View PDF of the London Ambulance Service NHS Trust Undertaking (Via ICO Website)

View PDF of the London Ambulance Service NHS Trust Undertaking (Breach Watch Archive)

The Scottish Children’s Reporter Administration

What

Loss of sensitive personal data.

How much

10 records.

Why

An email containing sensitive information was sent to an unknown 3rd party and nine case files were temporarily lost during a move.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware that they may not send data to personal email accounts.

Reason for action

Information was emailed despite a policy being in place that stated this could only be done if sent to an equally secure recipient. A filing cabinet was not checked for case files during a move.

When

02 September 2011.

Links

View PDF of the Scottish Children’s Reporter Administration Undertaking (Via ICO Website)

View PDF of the Scottish Children’s Reporter Administration Undertaking (Breach Watch Archive)

London Borough of Greenwich

What

Two incidents of disclosure of sensitive personal information.

How much

Two records.

Why

Information sent to incorrect email addresses.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the Council’s IT policy specifically makes it clear that data is not to be sent to personal emails.

Reason for action

Both incidents saw staff fail to adhere to the Council’s IT policy, regarding the encryption of data. However the policy did not explicitly prevent the sending to data to personal emails.

When

10 August 2011.

Links

View PDF of the London Borough of Greenwich Undertaking (Via ICO Website)

View PDF of the London Borough of Greenwich Undertaking (Breach Watch Archive)

Royal Cornwall Hospitals NHS Trust.

What

Inappropriate disclosure of personal information on two separate occasions.

How much

Two records.

Why

The information was sent out in response to a third party Subject Access Request, inappropriately.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made familiar with procedures and policies relating to Subject Access Requests.

Reason for action

Insufficient training combined with a large volume of subject access requests lead to the error.

When

04 April 2011.

Links

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Breach Watch Archive)

Warrington and Halton Hospitals NHS Trust

What

Loss of sensitive data.

How much

110 records

Why

Theft of an unencrypted laptop from premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the encryption of portable media devices are checked and upheld.

Reason for action

Despite the data controller having a policy in place to ensure that all such devices were encrypted, this laptop had not been, nor had it been identified as a security risk, despite having no other form of protection.

When

01 April 2011.

Links

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Breach Watch Archive)