A Network Storage device containing records relating to doctors employed by the data controller was lost or stolen in transit during a move and was sold on eBay. It was eventually recovered.
Undertaking issued to ensure that contracts are put in place between the Data controller and any contractors it uses to process personal data on its behalf, who must be sufficiently checked. Sufficient physical security measures must be implemented and records of data contained on physical media must be kept.
Reason for action
Neither the network storage device or the personal data contained within it were encrypted. No inventory of equipment being transported was taken and therefore the loss/theft of the device went unnoticed until the eBay buyer contacted the Data controller.
14 October 2010
View PDF of the Healthcare Locums PLC Undertaking (Via ICO Website)
View PDF of the Healthcare Locums PLC Undertaking (Breach Watch Archive)