Cardiff and Vale University Health Board

Breach details

What Loss of a bag containing sensitive personal data including a mental health act tribunal report, a solicitor’s letter, and five CV’s.
How much Documents relating to at least seven individuals.
When 26 November 2012.
Why A consultant psychiatrist lost their bag containing these documents when cycling home from the office. The documents were necessary for the consultant to work outside of the office environment, but although other more secure means of transporting the data or remote server access were available they were not communicated clearly to staff. The individual also did not receive induction training (including on data protection) until after the incident had occurred.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 04 October 2013.
Details The Health Board is to immediately implement a security policy concerning the removal and security of data off site and provide training to all staff in how to follow it, as well as mandatory training on data protection. Assessments are also to be made on the suitability of an individual working from home and appropriate arrangements made. Finally, a protective marking scheme is to be introduced.