Central Lancashire Primary Care Trust

What
Loss of sensitive personal data.

How much
6,360 records.

Why
An encrypted memory stick containing data relating to medical treatment was lost by a member of staff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed and that mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the loss of the data in question. The memory stick had a “Post it” sticker adhered to it containing the applicable password for the use of the stick.

When
8 April 2009

Links
View PDF of the Central Lancashire Primary Care Trust Undertaking (Breach Watch Archive)

Hull and East Yorkshire Hospitals NHS Trust

What
Loss of sensitive personal data.

How much
About 2,300 records.

Why
In the first incident an unencrypted desktop PC containing personal data relating to about 300 patients was lost during refurbishment. On the second occasion a disused unencrypted laptop containing personal relating to 2,000 patients from prior to January 2007, was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. Personal data must not be held on any media for any longer than needed. All staff must receive adequate data protection training and be reminded of internal policies regularly.

Reason for action
The data controller did had in place policies and procedures relating to data security and the storage and transfer of equipment and data, which were not followed in either instance.

When
7 April 2009

Links
View PDF of the Hull and East Yorkshire Hospitals NHS Trust Undertaking (Breach Watch Archive)

The British Council

What
Loss of sensitive personal data.

How much
22,000 records.

Why
An unencrypted computer data storage disc containing personal data relating to 2,000 staff, including trade union membership, was lost in transit by a courier service.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed either by the data controller or any third parties. Mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
Although the disc was lost by a third party, the council had failed to ensure that the disc was encrypted to a minimum standard.

When
7 April 2009

Links
View PDF of the British Council Undertaking (Breach Watch Archive)

Cambridge University Hospitals NHS Foundation Trust

What
Loss of sensitive personal data.

How much
741 records.

Why
An unencrypted memory stick containing the personal data of patients was left unattended in a car and found by a car wash attended to was able to access the device and establish its ownership.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed by the Trust. Mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the unauthorised transfer of data onto a non-trust owned, unencrypted memory stick.

When
03 April 2009

Links
View PDF of the Cambridge University Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

Stockport NHS Foundation Trust

What
Loss of sensitive personal data.

How much
1,588 records.

Why
An unencrypted laptop containing sensitive personal data was stolen from a locked hospital room.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented. All such devices must be registered with the IT department. All staff must receive adequate data protection training.

Reason for action
The laptop was password protected but not encrypted. It had not been locked in a cabinet as was usual but was stored in a covered box under the desk. The laptop did not appear to have been registered with the Trust’s IT department.

When
25 March 2009

Links
View PDF of the Stockport NHS Foundation Trust Undertaking (Breach Watch Archive)

2gether NHS Foundation Trust

What
Loss of sensitive personal data.

How much
56 records.

Why
Four desktop computers, one laptop and a memory stick  containing sensitive personal data relating to patients were stolen from a locked room in the Trust’s building.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented  All staff must receive adequate data protection training.

Reason for action
The laptop and memory stick were not encrypted, or locked away out of site, contrary to Trust policy.

When
24 March 2009

Links
View PDF of the 2gether NHS Foundation Trust Undertaking (Breach Watch Archive)

The North West London Hospitals NHS Trust

What
Loss of sensitive personal data.

How much
About 361 records.

Why
Two laptop computers were stolen and in a separate incident, a desktop computer was stolen. In both cases these devices held the personal data of patients.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. All storage devices must be sufficiently encrypted. All staff must receive adequate training in order to fulfil their obligations under such policies.

Reason for action
In both cases the machines were password protected but not encrypted. In the second incident a swipe card security system that controlled entry to the building has been disabled for maintenance.

When
19 March 2009

Links
View PDF of the North West London Hospitals NHS Trust Undertaking (Breach Watch Archive)

Brent Teaching Primary Care Trust

What
Loss of sensitive personal data.

How much
70 records.

Why
Two unencrypted laptops containing sensitive personal data relating to 389 patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data. All such mobile devices must be encrypted, Staff must be adequately trained on the data controller’s information security policies.

Reason for action
The laptops were unencrypted and although the office was locked they were left out on a desk with no further physical security measures taken, contrary to the Trust’s own security policy.

When
19 January 2009

Links
View PDF of the Brent Teaching Primary Care Trust Undertaking (Breach Watch Archive)

Abertawe Bro Morgannwg University NHS Trust

What
Loss of personal data.

How much
5,000 records.

Why
An unencrypted laptop containing sensitive personal data relating to approximately 5,000 patients was stolen from an unlocked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the portable and mobile devices are encrypted to a suitable standard.

Reason for action
The Laptop was unencrypted and the office was not locked as it usually would have been.

When
14 January 2009

Links
View PDF of the Abertawe Bro Morgannwg University NHS Trust Undertaking (Breach Watch Archive)

Virgin Media Limited

What
Loss of personal data.

How much
3,383 records.

Why
An unencrypted compact disc containing the personal data of 3,383 customers passed on to the data controller by Carphone Warhouse was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that media devices used to transport and store personal data are encrypted and that any contracts between the data controller and any data processors require this.

Reason for action
The lost CD was unencrypted and the arrangement between the data controller and data processor was insufficient.

When
17 September 2008

Links
View PDF of the Virgin Media Limited Undertaking (Breach Watch Archive)