Freehold Community School

What

Loss of personal data.

How much

90 records.

Why

An unencrypted laptop and paper work was stolen from a teacher’s car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted.

Reason for action

The data controller was unaware of the necessity to ensure the encryption of portable media devices.

When

21 April 2011.

Links

View PDF of the Freehold Community School Undertaking (Via ICO Website)

View PDF of the Freehold Community School Undertaking (Breach Watch Archive)

University College London Hospitals NHS Foundation Trust

What

Loss of sensitive personal data.

How much

750 records.

Why

Loss of an unencrypted memory stick.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are sufficiently encrypted and that staff are trained in the transportation of such data.

Reason for action

Sensitive personal information should never have been transported off site in an unencrypted media device.

When

15 April 2011.

Links

View PDF of the University College London Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the University College London Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

Warrington and Halton Hospitals NHS Trust

What

Loss of sensitive data.

How much

110 records

Why

Theft of an unencrypted laptop from premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the encryption of portable media devices are checked and upheld.

Reason for action

Despite the data controller having a policy in place to ensure that all such devices were encrypted, this laptop had not been, nor had it been identified as a security risk, despite having no other form of protection.

When

01 April 2011.

Links

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Breach Watch Archive)

Aramark Ltd.

What

Loss of personal information.

How much

109 records.

Why

Paperwork and an unencrypted laptop were stolen in-transit.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and are only taken off site when absolutely necessary.

Reason for action

Although the laptop was password protected, this was insufficient security, given the sensitive nature of the data it contained

When

24 February 2011.

Links

View PDF of the Aramark Ltd. Undertaking (Via ICO Website)

View PDF of the Aramark Ltd. Undertaking (Breach Watch Archive)

Cambridgeshire County Council

What

Loss of sensitive personal information.

How much

A minimum of six records.

Why

An unencrypted memory stick containing the records was lost by a member of staff.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made fully aware policies related to the encryption of portable media devices.

Reason for action

Employees were issued with encrypted memory sticks, but following a technical difficulty with the encryption function the employee used an unencrypted and unauthorised device.

When

23 February 2011.

Links

View PDF of the Cambridgeshire County Council Undertaking (Via ICO Website)

View PDF of the Cambridgeshire County Council Undertaking (Breach Watch Archive)

Ealing Council

Breach details

What Loss of sensitive personal information.
How much 958 records.
When 2010
Why Theft of two unencrypted laptops (one work-issued, one personal) from a staff member’s home. The employee had been involved in a breach before, but no remedial action was taken. No home working risk assessment undertaken (although this was in policy).

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 08 February 2011

Why the regulator acted

Breach of act Unencrypted tapes were stolen, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known Data controller was aware of the possible consequences of the such an event, since policies were in place requiring home assessment and encryption of laptops. Both these policies were breached.
Likely to cause damage or distress Personal data of clients.

Hounslow Council

Breach details

What Loss of sensitive personal information.
How much 698 records.
When 2010
Why Theft of unencrypted laptop from staff member’s home. There was no written contract in place with Ealing Council who processed the data.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 8 February 2011

Why the regulator acted

Breach of act Theft of unencrypted laptop.
Inappropriate organisational and technical measures.
Known or should have known There were no policies requiring the encryption of laptops and the data processors policies were not monitored, despite the data controller having their own Information Security Policy.
Likely to cause damage or distress Personal information of clients.

Stoke-on-Trent City Council

What

Loss of sensitive personal information.

How much

40 records.

Why

An unencrypted memory stick containing social service records for 40 children was found by a member of the public. The memory stick was not password protected either.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

Although there was a legitimate reason for the data to be on a memory stick the one used was not an approved encrypted device.

When

22 November 2010

Links

View PDF of the Stoke-on-Trent City Council Undertaking (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Undertaking (Breach Watch Archive)

A4e Ltd

Breach details

What Loss of sensitive personal information.
How much 24,000 records.
When 18/19 June 210
Why Theft of an unencrypted laptop from staff member’s home.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 22 November 2010

Why the regulator acted

Breach of act Theft of an unencrypted laptop.
Inappropriate organisational and technical measures..
Known or should have known Data controller was aware of the possible consequences of laptops being stolen and had commenced a laptop encryption program.
Likely to cause damage or distress Financial and personal information of clients.

Rainforest Alliance Ltd

What

Potential loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted Laptop during a domestic burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that staff are sufficiently trained and monitored in the Data controllers security policies.

Reason for action

Although the laptop was password protected and used with permission it was not encrypted and it emerged that only some of the data it contained had been backed up on the office server. It was concluded that the data controller had not provided adequate guidance on physical security.

When

11 November 2010

Links

View PDF of the Rainforest Alliance Ltd Undertaking (Via ICO Website)

View PDF of the Rainforest Alliance Ltd Undertaking (Breach Watch Archive)