Breach details
| What | Documents containing personal data relating to a ‘fitness to practice’ hearing. |
| How much | An unknown number of documents. |
| When | 2011. |
| Why | A suitcase containing documents relating to a ‘fitness to practice’ hearing was stolen from a train. The solicitors who had prepared these documents had not signed a contract to act only under instruction from the Data Controller, and had not been provided with specific guidance on the redaction of these documents for hearings. |
BW Comments
| It is strange the the ICO highlights the lack of an adequate contract between the Data Controller and their solicitor. Surely the normal contract of engagement between a client and solicitor would provide the necessary requirements of confidentiality and that the solicitor should only act on the client’s instructions? |
Regulatory action
| Regulator | ICO | Action | Undertaking to comply with the seventh data protection principle. |
| When | 09 July 2013. |
| Details | The Data Controller is to immediately enter into a contract with its solicitors and issue instructions regarding the processing of personal data. In addition, agents and contractors given access to personal data are to be provided with specific guidance around data security; compliance with policies on data protection is to be regularly monitored; and security measures are to be implemented to protect personal data. |
Links
| View PDF of the Health & Care Professions Council Undertaking (Breach Watch Archive) |
| View PDF of the Health & Care Professions Council Undertaking (Via ICO Website) |
Follow Up
| The ICO conducted a follow up assessment on 22 October 2013. |
| View PDF of the Health and Care Professions Council Undertaking Follow Up (Breach Watch Archive) |
| View PDF of the Health and Care Professions Council Undertaking Follow Up (Via ICO Website) |