London Borough of Sutton

What
Loss of sensitive personal data.

How much
About 119 records.

Why
Numerous Incidents:

  • A paper file containing personal data relating to 73 individuals receiving social care went missing from an office.
  • A document package relating to childcare proceedings was left with the neighbour of an intended recipient and subsequently went missing.
  • An unencrypted laptop containing personal data to 9 children was stolen from a locked cupboard on a children’s hospital ward.
  • An unencrypted laptop containg social care data relating to 39 individuals was stolen from the home of an employee of the data controller.
  • 9 administration computers used to access dara in the data controller’s network were stolen, but some files may have been downloaded onto the computer’s hard drives in breach of policy.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Measures must be taken to ensure the physical security of all such devices containing personal information. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The various breaches demonstration a lack of security, both physical and technical. The sheer amount of breaches betrayed an overall organisational weakness.

When
29 July 2009

Links
View PDF of the London Borough of Sutton Undertaking (Breach Watch Archive)