Nursing and Midwifery Council

Breach details

What Loss of sensitive personal data (medical and details relating to legal proceedings).
How much Unspecified but small number of records including two vulnerable children’s details. Details and allegations against a medical practitioner.
When 07 October 2011
Why In an echo of the infamous HMRC breach of 2007, three DVDs containing unencrypted data relating to a ‘fitness to practice hearing’ went missing somewhere between the Nursing and Midwifery Council’s offices and the hotel where the hearing was due to take place. Although the package was sent by courier, the data on the DVDs was unencrypted.

BW Comments

Two of the fundamental lesons that every Data Controller should have learned from the HMRC breach were:

  1. Always use couriers when sending personal data on physical media.
  2. Always encrypt data on physical media such as CDs or DVDs.

Although the Nursing and Midwifery Council use a courier, the sensitive personal data was not encrypted. As soon as anything went wrong, enforcement action was bound to follow.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 12 February 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against unauthorised processing of personal data, such as encrypting the data on the DVDs.
Known or should have known The Council was used to dealing with sensitive data and was aware of the potential damage release of the data would cause. The Commissioner also highlighted his own guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress The DVDs contained the medical information of third parties, including two vulnerable children. The Commissioner repeated his usual argument that data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may be further disseminated and possibly misused.

BW Observations

Receiving the report of DVDs that appeared to go missing between a sender and recipient will have caused a stressful outbreak of déjà vu in Wilmslow. Although the data lost related to very few individuals, the sensitivity of the data had a bearing on the amount of the penalty. Organisations should be under no illusions that sending any unencrypted personal data on physical media will attract a monetary penalty.

Stoke-on-Trent City Council

Breach details

What Loss of sensitive personal information.
How much 11 records.
When 14 December 2011
Why 11 unencrypted emails relating to a child protection case were sent to the wrong email address by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
Enforcement notice issued to ensure that a training program to make staff aware of data protection security procedure is arranged within 35 days.
When 25 October 2012

Why the regulator acted

Breach of act Failure to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to train employees appropriately and provide a secure means of sending email.
Known or should have known Staff were used to handling confidential and sensitive personal data and the danger of sending unencrypted email, which the data controller was aware was occuring, should have been self evident.
Likely to cause damage or distress Data was confidential and highly sensitive and related to an ongoing legal case.

Greater Manchester Police

Breach details

What Loss of sensitive personal data relating to criminal activities.
How much 1,075 records
When 17 July 2011
Why Theft of an unencrypted memory stick from an officer’s home.

BW Comments

It is really hard to stop the use of unencrypted media unless its use is blocked by an endpoint protection software and encrypted USB drives are issued to everyone that needs them. Having a written policy that is not enforced is useless.
This is most clearly illustrated by paragraph 8 of the Monetary Penalty Notice: after the security breach the police force had an ‘unencrypted USB memory drive amnesty’ and recovered 1,100 such USB drives – despite having a policy stating that such drives should not be used.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000.
When 13 September 2012

Why the regulator acted

Breach of act A number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office.
Known or should have known Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
Likely to cause damage or distress The memory stick contained highly sensitive personal data relating to people with links to serious crime investigations.

BW Observations

Given the apparent endemic use of unencrypted media by the force the fine appears to be on the low side of what the commissioner could have levied. The ICO reported the MPN when it was paid, as the original date of issue coincided with the loss of two of the force’s police officers.

IEEE stored 100,000 usernames and passwords in plaintext on FTP server

What
Loss of personal data

How much
Unknown.

Why
Log files containing nearly 100,000 usernames and plain-text passwords were stored on an FTP server that did not require a login.

The log files, from ieee.org and spectrum.ieee.org, were stored in an unprotected directory on the server and were available to any public user.

Denmark-based Romanian computer scientist Radu Dragusin, who discovered the files, has undertaken not to make the raw data public, although it is not known whether the data set was downloaded by anyone else.

Analysis of the data is available on the website Dragusin created after discovering the files – ieeelog.com

The organisation has acknowledged the breach.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links

Edinburgh City Council Investigates Laptop Theft

What
Loss of senstive personal data.

How much
Unknown.

Why
 The Edinburgh Evening News reported that an unencrypted laptop containing sensitive personal data relating to vulnerable children was stolen from the home of a consultant who conducts reviews of foster and adoptive parents in Edinburgh.

The police believe that the data on the laptop was not targeted, and the Council claims to have contacted “as many as possible” of those whose details were contained on the laptop.

Working with BT the City of Edinburgh Council had taken measures to encrypt some 8000 computers belonging to the council, following an IT security review in 2010. It would appear that the issue here was a failure to ensure that third parties also handling this data followed the same security measures.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links

 

Hertfordshire County Council

What

Loss of sensitive personal data.

How much

Unknown.

Why

An Attendance and Pupil Support consultation folder was lost in January 2011.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices used to store personal data are sufficiently encrypted. Hard copy documentation must only be removed from council premises when absolutely necessary.

Reason for action

Despite the incident occurring in January 2011, the relevant department within the Council did not share the outcome of their investigation with the Data Protection Team until August 2011. The investigation also revealed that the officer who lost the folder was transporting excessive information.

When

11 Apr 2012

Links

View PDF of the Hertfordshire County Council Undertaking (Via ICO Website)

View PDF of the Hertfordshire County Council Undertaking (Breach Watch Archive)

South London Healthcare NHS Trust

What

Loss of sensitive personal data.

How much

Approximately 750 records

Why

Two unencrypted memory sticks were lost, one two separate occasions. A clipboard of ward lists was left in a grocery store and some patient paper files were inadequately secured when not in use.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices containing personal data are encrypted to a sufficient standard and that staff are made aware of, and trained in, data protection policies.

Reason for action

On all of these occasions, staff were either unaware that the memory sticks they used should have been encrypted, or had removed or failed to secure data in breach of in-place policies.

When

11 Apr 2012

Links

View PDF of the South London Healthcare NHS Trust Undertaking (Via ICO Website)

View PDF of the South London Healthcare NHS Trust Undertaking (Breach Watch Archive)

St Georges Healthcare NHS Trust

What
Loss of sensitive personal data.

How much
22,000 records.

Why
6 unencrypted laptops containing the personal data of a number of patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data. Mobile media devices must be encrypted to a suitable standard. Adequate checks must be carried out on contractor’s staff. All staff must receive adequate data protection training.

Reason for action
Due to network connection problems patient data had been stored on laptop C drives contrary to Trust policy and was not encrypted.

When
27 March 2009

Links
View PDF of the St Georges Healthcare NHS Trust Undertaking (Breach Watch Archive)

Enable Scotland (Leading the Way)

What

Loss of sensitive personal data.

How much

101 records.

Why

Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.

Reason for action

The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.

When

09 March 2012.

Links

View PDF of the Enable Scotland (Leading the Way) Undertaking (Via ICO Website)

View PDF of the Enable Scotland (Leading the Way) Undertaking (Breach Watch Archive)

Community Integrated Care

What

Loss of personal and sensitive personal data.

How much

40 records.

Why

Theft of an unencrypted laptop from a locked ground floor office in the Newcastle area.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile devices including laptops are encrypted to a sufficient standard. Physical security standards must be adequate to prevent unauthorised access to personal data.

Reason for action

The stolen laptop was password protected, but had not been encrypted, However the data controller proposed to improve physical software and implement encryption as a result of the incident.

When

01 March 2012.

Links

View PDF of the Community Integrated Care Undertaking (Via ICO Website)

View PDF of the Community Integrated Care Undertaking (Breach Watch Archive)