Lampeter Medical Practice

What
Loss of personal data.

How much
8,000 records.

Why
Loss of an unencrypted memory stick that was posted by recorded delivery.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that any portable media devices used to store data are sufficiently encrypted and that physical security measures are put in place to prevent unauthorised access to physical data, particularly in respect to the unauthorised use of memory sticks.

Reason for action
A practical database was downloaded, without authorisation onto an unencrypted and non password protected memory stick

When
26 May 2010

Links
View PDF of the Lampeter Medical Practice Undertaking (Via ICO Website)

View PDF of the Lampeter Medical Practice Undertaking (Breach Watch Archive)

King’s College London

What
Loss of sensitive personal data.

How much
About 200 records.

Why
A mini-Mac computer and several laptops were stolen from an academic office of the data controller in a teaching hospital.

In a second incident several months later two laptops were stolen from another teaching hospital.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
None of the machines were encrypted and it was discovered that the laptops were not normally locked away or physically secured when not in use. Enquiries revealed that staff training and awareness in relation to data protection responsibilities were inadequate. A similar incident had occurred in June 2009 but the data controller did not appear to have incorporated lessons learnt from that incident sufficiently into its wider policies and procedures.

When
5 May 2010

Links
View PDF of the King’s College London Undertaking (Breach Watch Archive)

Eastbourne Borough Council

What
Loss of personal data.

How much
Three records.

Why
Three unencrypted laptops were stolen from the general office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The office had a electronic lock that staff knew to be faulty and the laptops were neither encrypted  nor physically secured to the desks or locked away. The data controller had recently relocated and staff did not have access to the central network for some time, resulting in the use of the laptop to store and update a database containing personal information.

When
29 April 2010

Links
View PDF of the Eastbourne Borough Council Undertaking (Breach Watch Archive)

South Yorkshire Pensions Authority

What
Loss of personal data.

How much
9,140 records.

Why
An unencrypted cd containing personal data relating to 9,140 pension scheme members was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The cd was being used as a working copy by administrative staff in the office environment and there was no indication it had been stolen. It had been created to provide staff easy access to data without full consideration of data security implications.

When
22 April 2010

Links
View PDF of the South Yorkshire Pensions Authority Undertaking (Breach Watch Archive)

Ysgol Bro Famau

What
Loss of sensitive personal data.

How much
A few records.

Why
A computer containing sensitive personal data relating to the data controller’s pupils was stolen from an administration.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The computer was stored on a desk in view of an insecure window. It was protected by a password but not encrypted. Investigations revealed that staff needed further training in data protection and that physical security was inadequate.

When
16 April 2010

Links
View PDF of the Ysgol Bro Famau Undertaking (Breach Watch Archive)

St James Primary School

What
Loss of sensitive personal data.

How much
27 records.

Why
A teacher’s bag containing an unencrypted memory stick was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data. Memory sticks are not to be used in conjunction with “Report Assist” software to store or transmit personal data.

Reason for action
The memory stick was the teacher’s personal property and contained pupil reports.

When
15 April 2010

Links
View PDF of the St James Primary School Undertaking (Breach Watch Archive)

Birmingham and Solihull Mental Health NHS

What
Loss of sensitive personal data.

How much
A few records.

Why
A laptop storing a number of details relating to patients who had received mental healthcare within the trust, together with a number of staff records, was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The laptop was stored stored in an unlocked filling cabinet in a secure, but not alarmed, office. At the time the majority of data stored on the laptop was out of data and had no business need to be retained.

When
9 April 2010

Links
View PDF of the Birmingham and Solihull Mental Health NHS Undertaking (Breach Watch Archive)

Warwickshire County Council

What
Loss of sensitive personal data.

How much
A few records.

Why
Two unencrypted laptops containing personal data relating to staff and pupils at a particular school were stolen. In a separate incident an unencrypted USB stick was lost or stolen from the administrative office of an education centre.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptops recorded data relating to two schools which were merging and had not been encrypted as they were only being used as a temporary measure in an office environment. Enquiries revealed that there were insufficient physical security measures in place and that the data controller was carrying out an incomplete program of encryption of portable devices.

The USB stick held minimal personal data, but an internal investigation revealed a lack of awareness of data protection requirements among staff and recommended further training and use of encrypted media.

When
19 March 2010

Links
View PDF of the Warwickshire County Council Undertaking (Breach Watch Archive)

The Royal London Mutual Insurance Society Ltd

What
Loss of personal data.

How much
2,135 records.

Why
18 laptops were lost or stolen from the data controller’s Edinburgh offices, two of which were unencrypted and contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
An internal investigation revealed that the data controller was uncertain of the precise location of these laptops at any given time. Physical security was insufficient and managers were unaware that the two laptops contained personal data.

When
16 March 2010

Links
View PDF of the Royal London Mutual Insurance Society Ltd Undertaking (Breach Watch Archive)

St Albans City and District Council

What
Loss of personal data.

How much
15,333 records.

Why
Four unencrypted laptops were stolen, one of which contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data. Adequate security checks must be carried out on contractor’s staff.

Reason for action
The laptop containing personal data was unencrypted (yet met Council IT security policy at the time) and contained redundant election data that had not been removed in a reasonable amount of time. It was later taken by contracted IT staff and left unsecured, later discovered to be missing along with 3 other laptops.

When
5 March 2010

Links
View PDF of the St Albans City and District Council Undertaking (Breach Watch Archive)