Godalming College

What

Inappropriate disclosure of sensitive personal data.

How much

Unknown.

Why

An email with an attachment containing sensitive personal data was inadvertently sent to lower-sixth form students rather than their tutors. The email was only intended to contain a link to the attachment.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any documents containing personal data relating to students will only be provided to staff on a “need to know” basis and will not, in any event, be transmitted via email unless encrypted.

Reason for action

Although efforts were made to delete or recall the email, some students had already saved or forwarded the attachment and some media publicity resulted.

When

06 December 2011.

Links

View PDF of the Godalming College Undertaking (Via ICO Website)

View PDF of the Godalming College Undertaking (Breach Watch Archive)

North Somerset Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much Two records.
When 12 November 2010
Why A council employee accidently sent five emails (on separate occasions), two of which contained highly sensitive information relating to a child’s serious case review, to the wrong NHS employee.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 28 November 2011

Why the regulator acted

Breach of act Staff not given sufficient information governance training and management should have signed off on emails, ensuring that all sensitive data was encrypted.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to handling confidential and sensitive data and should have been aware of the “self evident” risks of drop down email menus. Repeated breaches demonstrate this fact.
Likely to cause damage or distress Data related to vulnerable individuals and could be misused.

London Borough of Southwark

What

Loss of sensitive personal data.

How much

7,200 records.

Why

An unencrypted iMac and paper records were found by a member of the public in a skip being used to cleanse a decommissioned and vacant property that had previously been part of a complex previously owned by the data controller.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will demonstrate adherence to the action plans to deal with the issue that it has presented to the data commissioner and that it will honour its invitation for the ICO to conduct a data protection audit.

Reason for action

Although the Data Controller demonstrated plans to deal with the breach, the iMac had been missing since 2003 and was unencrypted and any member of the public would have been able to remove the data contained on it.

When

21 November 2011.

Links

View PDF of the London Borough of Southwark Undertaking (Via ICO Website)

View PDF of the London Borough of Southwark Undertaking (Breach Watch Archive)

Phoenix Nursery School

What

Loss of sensitive personal data.

How much

Unknown.

Why

A backup tape and supporting device containing details of pupils, parents and guardians was lost.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that in the future all personal data is encrypted to a sufficient standard and that current operational procedures are reviewed and revised.

Reason for action

While the backup tape did not appear to have been stolen, it could not be located. The data controller contacted all parents and guardians effected by the incident to advise them accordingly. However although the data on the device was recovered in full, the Commissioner’s investigation revealed that the technical measures employed by the school were inadequate.

When

16 November 2011.

Links

View PDF of the Phoenix Nursery School Undertaking (Via ICO Website)

View PDF of the Phoenix Nursery School Undertaking (Breach Watch Archive)

Rochdale Metropolitan Borough Council

What

Loss of personal data.

How much

“Thousands”

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issues to ensure that all portable media devices used to store personal data are sufficiently encrypted and that policies and procedures on the storage, processing, transmission and disposal of personal data shall be reviewed and revised by no later than 1 December 2011.

Reason for action

Although much of the data on the USB stick was already available in the public domain it became clear during investigations that data protection training was insufficient and that encrypted memory sticks were not provided in those cases when more private data would have been stored.

When

03 November 2011.

Links

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Breach Watch Archive)

Newcastle Youth Offending Team

What

Loss of sensitive personal data.

How much

100 records.

Why

Theft of an unencrypted laptop from a home address of an employee of a hired data processor.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all data processors contracted on the data controllers behalf comply with the principles of the Act and in particular that all potable media devices are sufficiently encrypted.

Reason for action

The data controller did not have an appropriate contract in place with the data processor which stipulated the need to encrypt devices containing personal data.

When

28 October 2011.

Links

View PDF of the Newcastle Youth Offending Team Undertaking (Via ICO Website)

View PDF of the Newcastle Youth Offending Team Undertaking (Breach Watch Archive)

Association of School and College Leaders

What

Loss of sensitive personal data.

How much

100 records.

Why

Theft of unencrypted laptop from staff member’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are encrypted.

Reason for action

Although encryption software was provided, whether or not to use it was left to the discretion of staff members.

When

05 October 2011.

Links

View PDF of the Association of School and College Leaders Undertaking (Via ICO Website)

View PDF of the Association of School and College Leaders Undertaking (Breach Watch Archive)

Holly Park School

What

Loss of sensitive personal data.

How much

Nine records.

Why

Theft of an unencrypted laptop from school premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are encrypted and are kept physically secure.

Reason for action

Although the laptop was kept in a locked filling cabinet the office it was housed in was not locked.

When

05 October 2011.

Links

View PDF of the Holly Park School Undertaking (Via ICO Website)

View PDF of the Holly Park School Undertaking (Breach Watch Archive)

London Ambulance Service NHS Trust

What

Loss of sensitive personal data.

How much

Unknown.

Why

Theft of unencrypted laptop from a staff member’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff members are made aware sensitive personal data is not to be forwarded to personal email accounts under any circumstances.

Reason for action

Data was emailed by a staff member to a personal account and downloaded onto a personal, unencrypted, laptop.

When

07 September 2011.

Links

View PDF of the London Ambulance Service NHS Trust Undertaking (Via ICO Website)

View PDF of the London Ambulance Service NHS Trust Undertaking (Breach Watch Archive)

University Hospital of South Manchester NHS Foundation Trust

What

Loss of sensitive personal data.

How much

87 records.

Why

Loss of an unencrypted memory stick by a medical student.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that students are provided with sufficient training and that the security of personal data is sufficiently monitored.

Reason for action

It was assumed that the medical student had already received sufficient data protection training. Sensitive data was copied from an encrypted memory stick provided by the hospital to an unencrypted personal memory stick.

When

07 September 2011.

Links

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Breach Watch Archive)