Durham University

What

Loss of personal data.

How much

Unknown.

Why

Training manuals posted on the data controller’s website contained actual, rather than fictitious or anonymised personal data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that no documents containing personal data shall be placed on the data controller’s website and that staff will be made aware of IT security policies by no later than the 30th of September 2012.

Reason for action

The breach was discovered in July 2011 but the manuals had been live on the website since February 2011. During the investigation it became clear that only around 20% of staff had made use of the training materials available to them.

When

01 March 2012.

Links

View PDF of the Durham University Undertaking (Via ICO Website)

View PDF of the Durham University Undertaking (Breach Watch Archive)

Dr. Pervinder Sanghera of Arthur House Dental Care

What

Loss of personal and limited sensitive personal data.

How much

Unknown.

Why

An unencrypted USB stick containing records relating to patients and employees of Arthur House Dental Care was found in a public place. A number of spreadsheets containing personal data stored on the device were password protected.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store and transport personal data are sufficiently encrypted. Staff must be trained not to take data off site unless necessary.

Reason for action

The memory stick had been utilised as a temporary back-up solution when the existing electronic back-up system at the practice failed. As a result of the back-up failure the memory stick was moved from the dental practice to the data controller’s home for safekeeping on a number of occasions. It is likely the memory stick was lost in transit.

When

01 March 2012.

Links

View PDF of the Dr. Previnder Sanghera Undertaking (Via ICO Website)

View PDF of the Dr. Previnder Sanghera Undertaking (Breach Watch Archive)

Fairbridge

What

Loss of personal data on two occasions.

How much

325 and 16 records.

Why

On two separate occasions password protected, but unencrypted laptops were lost. One was left on a bus and the second was reported missing by an employee while boarding a plane in a Spanish airport.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted.

Reason for action

Whilst neither laptop has been recovered to date they did not contain any sensitive personal data. Since the incident occurred the data controller has ensured the encryption of mobile devices that contain personal data and provided all employees with data protection training.

When

10 February 2012.

Links

View PDF of the Fairbridge Undertaking (Via ICO Website)

View PDF of the Fairbridge Undertaking (Breach Watch Archive)

Craven District Council

What

Loss of personal data.

How much

2,300 records.

Why

An unencrypted laptop containing a database with child swimming lessons was stolen from a ground level office at a swimming pool.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted. These devices must be secured when not in use.

Reason for action

Despite several security devices and the rapid arrival of police officers the thief was able to remove the laptop and escape, as the laptop was left unsecured on a desk in a position where it could be seen from outside the office.

When

10 February 2012.

Links

View PDF of the Craven District Council Undertaking (Via ICO Website)

View PDF of the Craven District Council Undertaking (Breach Watch Archive)

Dacorum Borough Council

What

Loss of sensitive personal data.Loss of sensitive personal data.

How much

1,000 records.

Why

An unencrypted hard drive was stolen from an adventure playground following a burglary. It contained registration documents relating to about 1000 children who have attended the playground.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of the data controller’s policy for the storage and use of personal data. Personal data must not be retained any longer than relevant and must be disposed of in a secure manner once no longer needed.

Reason for action

The Commissioner’s enquiries revealed that the registration documents were stored on the desktop and were not password protected. The previous password protection had been removed when a member of staff left the Council and was not restored. It was also revealed that no annual review of the database had been performed, resulting is registration documents not being deleted in line with the Council’s retention policy.

When

10 February 2012.

Links

View PDF of the Dacorum Borough Council Undertaking (Via ICO Website)

View PDF of the Dacorum Borough Council Undertaking (Breach Watch Archive)

Brighton and Hove Council

What

Loss of sensitive personal data.

How much

Records relating to up to seven families.

Why

Theft of an unencrypted laptop during a burglary and on a separate occasion details of an employee’s income and salary deductions was accidently emailed to 2,821 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that that all portable media devices are suitably encrypted and appropriate administrative measures are put into place to control employee use of email groups.

Reason for action

The laptop was stolen from the home of a sessional worker, a casual employee under contract for a specific assignment. The data sent to the worker was supposed to have been anonymised, but had not been.

When

10 February 2012.

Links

View PDF of the Brighton and Hove Council Undertaking (Via ICO Website)

View PDF of the Brighton and Hove Council Undertaking (Breach Watch Archive)

Manpower UK Ltd

What

Inappropriate disclosure of personal data.

How much

400 records.

Why

A spreadsheet containing 400 people’s personal details was accidentally email to 60 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of policies regarding the transmission of personal data via email, included the need to password protect or encrypt the data according to the sensitivity of the data and the risk to the data subjects.

Reason for action

The employee had initially believed that the spreadsheet contained only the employee numbers of those 60 staff. However the data was transmitted unsecured over the internet and it could not be confirmed that all recipients had deleted the email as requested

When

20 January 2012.

Links

View PDF of the Manpower UK Ltd Undertaking (Via ICO Website)

View PDF of the Manpower UK Ltd Undertaking (Breach Watch Archive)

Praxis Care Limited

What

Loss of sensitive personal data.

How much

160 records.

Why

An unencrypted USB memory stick used as a backup and transfer device by an employee was lost on the Isle of Man.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all personal media devices used to store or transport personal data are sufficiently encrypted.

Reason for action

The data controller acted swiftly to ascertain exactly what data was on the missing USB stick and appropriate support was provided to the effected subjects, No reports of adverse consequences from the data loss have been received.

When

18 January 2012.

Links

View PDF of the Praxis Care Limited Undertaking (Via ICO Website)

View PDF of the Praxis Care Limited Undertaking (Breach Watch Archive)

Richard Dominic Preston

What

Loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted laptop from the data controller’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store personal data are encrypted to a sufficient standard.

Reason for action

Although much of the data on the laptop would have been in the public domain, it included email correspondence relating to legal cases.

When

06 December 2011.

Links

View PDF of the Richard Dominic Preston Undertaking (Via ICO Website)

View PDF of the Richard Dominic Preston Undertaking (Breach Watch Archive)

Alan M Casson & Associates

What

Loss of sensitive personal data.

How much

8,000 records.

Why

Theft of two unencrypted laptops and back up media during a burglary of premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that physical security measures are sufficient to prevent unauthorised access to persona data and that all portable media devices must be encrypted to a suitable standard.

Reason for action

While the laptops were kept in a locked cupboard and the backup media in a safe (which was stolen) the data controller was in the process of upgrading their security to include encryption, but the theft occurred before this could be put into practice.

When

06 December 2011.

Links

View PDF of the Alan M Casson & Associates Undertaking (Via ICO Website)

View PDF of the Alan M Casson & Associates Undertaking (Breach Watch Archive)