Breach details
What | Loss of a bag containing sensitive personal data including a mental health act tribunal report, a solicitor’s letter, and five CV’s. |
How much | Documents relating to at least seven individuals. |
When | 26 November 2012. |
Why | A consultant psychiatrist lost their bag containing these documents when cycling home from the office. The documents were necessary for the consultant to work outside of the office environment, but although other more secure means of transporting the data or remote server access were available they were not communicated clearly to staff. The individual also did not receive induction training (including on data protection) until after the incident had occurred. |
Regulatory action
Regulator | ICO | |
Action | Undertaking to comply with the seventh data protection principle. | |
When | 04 October 2013. | |
Details | The Health Board is to immediately implement a security policy concerning the removal and security of data off site and provide training to all staff in how to follow it, as well as mandatory training on data protection. Assessments are also to be made on the suitability of an individual working from home and appropriate arrangements made. Finally, a protective marking scheme is to be introduced. |
Links
View PDF of the Cardiff and Vale University Health Board Undertaking (Breach Watch Archive) |
View PDF of the Cardiff and Vale University Health Board Undertaking (Via ICO Website) |
Follow Up
The ICO conducted a follow up assessment in March 2014 (published on 16 June). |
View PDF of the Cardiff and Vale University Health Board Undertaking Follow Up (Breach Watch Archive) |
View PDF of the Cardiff and Vale University Health Board Undertaking Follow Up (Via ICO Website) |