North East Lincolnshire Council

Breach details

What Loss of an unencrypted USB stick containing personal and sensitive data relating to children with special educational needs including names, DOB and reports on mental and physical disabilities.
How much 286 records.
When 01 July 2011.
Why A special educational needs teacher working for the Special Educational Needs Support Service forgot to remove an unencrypted USB stick containing reports on 286 children from a laptop in the Council’s offices on leaving the office at the end of the day on 01 July. When the teacher tried to retrieve the USB stick they discovered it was gone and it has not been recovered to date. The USB stick had been issued in 2005 in order for the teacher to access neccessary data on their visits to schools and community locations that they performed during the majority of their time. An information security policy which had been in draft since 2009 was introduced in March 2011, four months prior to the incident, and specified that removable media such as USB sticks “must be encrypted”. However, unencrypted USB devices were not recalled until immediately after the incident and staff could only encrypt their devices through volunteer initiatives such as a ‘removable media pilot’ and an ‘encryption on request’ service. The member of staff in question had confirmed that they read and understood the new policy in June and had possibly received Data Protection Act e-learning training, but the training was non mandatory and cannot be confirmed.

Regulatory action

Regulator ICO
Action Monetary penalty of £80,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: appropriate measures were not taken to prevent the loss of personal data. In particular there was a lack of training on the importance of using encrypted devices, no technical controls restricting downloads, and no effective policies and controls in place.
Known or should have known Staff were used to dealing with sensitive personal information on a daily basis and had routinely stored this data on unencrypted USB sticks since at least 2005. The risks of using unencrypted USB sticks was identified in 2009 but not forbidden until 2011, and even then the Council continued to allow staff to use unencrypted devices in breach of its own policy. Although there was an encryption service available from this point it was voluntary and efforts to raise awareness were inadequate.
Likely to cause damage or distress The children and families concerned would suffer substantial distress knowing that their sensitive data may have been disclosed to third parties or could be in future, even though it appears that the data has not been disclosed thus far. If the data is accessed by untrustworthy third parties it could expose the children to damage to their health, education and personal relationships.

Aberdeen City Council

Breach details

What Four documents containing sensitive personal information were accidentally uploaded to the internet by a member of staff working from home. The data includes names and addresses, dates of birth, details of alleged criminal offences, and information about Social Care cases concerning children.
How much Four documents totalling 39 pages.
When 8 November 2011 to 18 February 2012.
Why A Council employee inadvertently downloaded four sensitive documents onto her PC when accessing them from home (either by email or by USB) between 8 November and 12 November 2011. These were then uploaded to a website by an auto-upload program pre-installed on the computer thereby making the data available to the public. The documents were discovered on 15th February 2012 and were removed (along with all cached versions) within four hours. However, on 18th February a national newspaper published a story on this incident although personal data was not included after a discussion with the Council.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000.
When 27 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council failed to introduce a secure home working policy or provide the training and equipment to make the home a secure place to work.
Known or should have known The Council was clearly aware that there were inherent risks with staff accessing sensitive personal data at home as it had an acceptable use policy. However, the Council did not supply the necessary equipment to make homes secure places to work from.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. The data is particularly sensitive as it identifies vulnerable individuals.There is also the risk that the information may have been further disseminated and misused.

Greater Manchester Police

Breach details

What Loss of sensitive personal data relating to criminal activities.
How much 1,075 records
When 17 July 2011
Why Theft of an unencrypted memory stick from an officer’s home.

BW Comments

It is really hard to stop the use of unencrypted media unless its use is blocked by an endpoint protection software and encrypted USB drives are issued to everyone that needs them. Having a written policy that is not enforced is useless.
This is most clearly illustrated by paragraph 8 of the Monetary Penalty Notice: after the security breach the police force had an ‘unencrypted USB memory drive amnesty’ and recovered 1,100 such USB drives – despite having a policy stating that such drives should not be used.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000.
When 13 September 2012

Why the regulator acted

Breach of act A number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office.
Known or should have known Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
Likely to cause damage or distress The memory stick contained highly sensitive personal data relating to people with links to serious crime investigations.

BW Observations

Given the apparent endemic use of unencrypted media by the force the fine appears to be on the low side of what the commissioner could have levied. The ICO reported the MPN when it was paid, as the original date of issue coincided with the loss of two of the force’s police officers.

South London Healthcare NHS Trust

What

Loss of sensitive personal data.

How much

Approximately 750 records

Why

Two unencrypted memory sticks were lost, one two separate occasions. A clipboard of ward lists was left in a grocery store and some patient paper files were inadequately secured when not in use.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices containing personal data are encrypted to a sufficient standard and that staff are made aware of, and trained in, data protection policies.

Reason for action

On all of these occasions, staff were either unaware that the memory sticks they used should have been encrypted, or had removed or failed to secure data in breach of in-place policies.

When

11 Apr 2012

Links

View PDF of the South London Healthcare NHS Trust Undertaking (Via ICO Website)

View PDF of the South London Healthcare NHS Trust Undertaking (Breach Watch Archive)

Enable Scotland (Leading the Way)

What

Loss of sensitive personal data.

How much

101 records.

Why

Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.

Reason for action

The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.

When

09 March 2012.

Links

View PDF of the Enable Scotland (Leading the Way) Undertaking (Via ICO Website)

View PDF of the Enable Scotland (Leading the Way) Undertaking (Breach Watch Archive)

Dr. Pervinder Sanghera of Arthur House Dental Care

What

Loss of personal and limited sensitive personal data.

How much

Unknown.

Why

An unencrypted USB stick containing records relating to patients and employees of Arthur House Dental Care was found in a public place. A number of spreadsheets containing personal data stored on the device were password protected.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store and transport personal data are sufficiently encrypted. Staff must be trained not to take data off site unless necessary.

Reason for action

The memory stick had been utilised as a temporary back-up solution when the existing electronic back-up system at the practice failed. As a result of the back-up failure the memory stick was moved from the dental practice to the data controller’s home for safekeeping on a number of occasions. It is likely the memory stick was lost in transit.

When

01 March 2012.

Links

View PDF of the Dr. Previnder Sanghera Undertaking (Via ICO Website)

View PDF of the Dr. Previnder Sanghera Undertaking (Breach Watch Archive)

Praxis Care Limited

What

Loss of sensitive personal data.

How much

160 records.

Why

An unencrypted USB memory stick used as a backup and transfer device by an employee was lost on the Isle of Man.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all personal media devices used to store or transport personal data are sufficiently encrypted.

Reason for action

The data controller acted swiftly to ascertain exactly what data was on the missing USB stick and appropriate support was provided to the effected subjects, No reports of adverse consequences from the data loss have been received.

When

18 January 2012.

Links

View PDF of the Praxis Care Limited Undertaking (Via ICO Website)

View PDF of the Praxis Care Limited Undertaking (Breach Watch Archive)

Rochdale Metropolitan Borough Council

What

Loss of personal data.

How much

“Thousands”

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issues to ensure that all portable media devices used to store personal data are sufficiently encrypted and that policies and procedures on the storage, processing, transmission and disposal of personal data shall be reviewed and revised by no later than 1 December 2011.

Reason for action

Although much of the data on the USB stick was already available in the public domain it became clear during investigations that data protection training was insufficient and that encrypted memory sticks were not provided in those cases when more private data would have been stored.

When

03 November 2011.

Links

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Breach Watch Archive)

Child Exploitation Online Protection Centre and the Serious Organised Crime Agency

What

The CEOP’s website reporting forms were being transmitted insecurely.

How much

None.

Why

A member of the public realised that the website’s reporting page was insecure.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the website is made secure and subject to regular checks.

Reason for action

Reports were transmitted unencrypted in plain text and this had been the case for several months.

When

15 September 2011.

Links

View PDF of the Child Exploitation Online Protection Centre and the Serious Organised Crime Agency Undertaking (Via ICO Website)

View PDF of the Child Exploitation Online Protection Centre and the Serious Organised Crime Agency Undertaking (Breach Watch Archive)

University Hospital of South Manchester NHS Foundation Trust

What

Loss of sensitive personal data.

How much

87 records.

Why

Loss of an unencrypted memory stick by a medical student.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that students are provided with sufficient training and that the security of personal data is sufficiently monitored.

Reason for action

It was assumed that the medical student had already received sufficient data protection training. Sensitive data was copied from an encrypted memory stick provided by the hospital to an unencrypted personal memory stick.

When

07 September 2011.

Links

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Breach Watch Archive)