Jala Transport Limited

Breach details

What Theft of an unencrypted hard drive containing sensitive personal data, including proofs of address and proofs of identity.
How much 250 records.
When 3 August 2012.
Why A briefcase containing an unencrypted hard drive, some documents and approximately £3,600 in case was stolen from the proprietor’s car when it was stuck in traffic. The external hard drive, as the only copy of the company’s customer database, was taken home each day to prevent theft and was protected by an 11-character password. It has not been recovered.

Regulatory action

Regulator ICO
Action Monetary penalty of £5,000.
When 24 September 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the company failed to take appropriate measures against the accidental loss or theft of personal data.
Known or should have known The company was used to dealing with large amounts of personal data on a daily basis and had taken some steps to protect it by having it password protected and taking it home overnight. However, the Commissioner’s office published guidance notes in 2007 promising enforcement action against companies suffering thefts of unencrypted data from vehicles, dwellings or inappropriate places. The company should have encrypted the data and transported it in a more secure way, such as in the boot of the car.
Likely to cause damage or distress The disclosure of personal information of the data subjects to unauthorised third parties is likely to cause them substantial distress, particularly as the hard drive has not been recovered. There is also the risk of identity fraud or financial loss.

Aberdeen City Council

Breach details

What Four documents containing sensitive personal information were accidentally uploaded to the internet by a member of staff working from home. The data includes names and addresses, dates of birth, details of alleged criminal offences, and information about Social Care cases concerning children.
How much Four documents totalling 39 pages.
When 8 November 2011 to 18 February 2012.
Why A Council employee inadvertently downloaded four sensitive documents onto her PC when accessing them from home (either by email or by USB) between 8 November and 12 November 2011. These were then uploaded to a website by an auto-upload program pre-installed on the computer thereby making the data available to the public. The documents were discovered on 15th February 2012 and were removed (along with all cached versions) within four hours. However, on 18th February a national newspaper published a story on this incident although personal data was not included after a discussion with the Council.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000.
When 27 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council failed to introduce a secure home working policy or provide the training and equipment to make the home a secure place to work.
Known or should have known The Council was clearly aware that there were inherent risks with staff accessing sensitive personal data at home as it had an acceptable use policy. However, the Council did not supply the necessary equipment to make homes secure places to work from.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. The data is particularly sensitive as it identifies vulnerable individuals.There is also the risk that the information may have been further disseminated and misused.

Islington Borough Council

Breach details

What Spreadsheets containing sensitive personal data in a ‘hidden’ workbook were uploaded on three occasions to the WhatDoTheyKnow.com FOIA website in response to an FOIA request. The data included details on housing applicants’ sexuality, ethnicity, domestic violence and criminal offending.
How much 2,375 records.
When 26 June 2012
Why Spreadsheets prepared by one department providing a response to an FOIA request used pivot tables to provide the summary information requested, however the published spreadsheets also contained the raw source data in hidden worksheets within the same spreadsheet. The request originated via the WhatDoTheyKnow website which automatically publishes all FOIA responses to the web, making them publicly available .

Regulatory action

Regulator ICO
Action Monetary Penalty notice of £70,000
When 20 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council did not have processes in place to ensure that personal information was not published in response to an FOIA request and failed to provide adequate training for the staff dealing with FOIA responses (such as how to check for hidden data within Excel).
Known or should have known The Council should have known that in the absence of a robust checking policy, personal data may be exposed in response to an FOIA request.
Likely to cause damage or distress The disclosure of sensitive personal information of the data subjects would cause them substantial distress, particularly as it is known that the information had been downloaded by unknown third parties seven times. The Council is facing separate legal action from a number of the data subjects. The Commissioner also noted that there is a risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

If the ICO considered an MPN appropriate, then a penalty of £70,000 for the repeated release of 2,375 items of sensitive personal data to a public website seems good value for the Data Controller. However the basis for the ICO’s assertion that the Council ‘knew or should have known’ appears to be weak.

Bank of Scotland

Breach details

What Personal information including national insurance numbers, bank details, and photocopies of passports and driving licenses was faxed to a number of incorrect recipients.
How much An unknown number of records.
When February 2009 to February 2013.
Why During this four year period a number of faxes containing personal information were sent to incorrect recipients rather than the bank’s certal processing systems. These breaches occurred on different faxes in different locations, and were made by a large number of staff from different branches. This was due to misdialling and in particular the transposition of the numbers 2 and 8. Although the employees concerned were given training on this issue and a communication was sent alerting all members of staff to the issue of misdialling, this particular error was not raised.

BW Comments

The ICO has on many occasions indicated his dislike of faxing, especially if the errors occurred because of manual misdialling which could be rectified by only allowing pre-programmed numbers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 75,000.
When 30 July 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the bank failed to provide adequate training or to find a more secure means for the transmission of personal information.
Known or should have known The bank was aware that there were risks associated with sending information by fax as it had procedures in place to regulate this and instituted some training on the discovery of the first breach. However, the continuation of these breaches is testimony to the inefficacy of the taken measures.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. It also carries the risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

This is the third breach where a regulated firm where the FCA (FSA) has not taken action and has let the ICO take the lead in respect of a breach of personal data.

NHS Surrey

Breach details

What Loss of personal data and sensitive personal data.
How much Approximately 1,570 hard drives. An unspecified number of records.
When 08 March 2010 – 02 July 2012
Why Between 08 March 2010 and 28 May 2012 hard drives containing sensitive personal data were collected for destruction and disposal by a company claiming to specialise in IT disposal. On 29 May 2012 it was found that PCs containing these hard drives were being sold by a third party company via an online auction site. So far ten of the supposedly destroyed hard drives have been reclaimed. The data controller has been unable to trace the destinations of the remaining PCs.

BW Comments

Disposal of drives is a recurring topic for information security professionals and the Commissioner. As it is easy to select a company with independent certification it really is unbelievable that organisations continue to contract with random companies that claim to offer destruction services. This MPN should also act as a reminder that a ‘certificate of destruction’ is just a piece of paper – there’s no substitute for watching your old hard drives being put through an industrial shredder.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 18 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: NHS Surrey failed to ensure the physical destruction of personal data stored on its hard drives. No proper risk assessment of the data processor was taken; there was no written contract with the data processor requiring the company to comply with regulations; and NHS Surrey did not take appropriate steps to ensure complaince with the regulations.
Known or should have known NHS Surrey was used to dealing with confidential and personal data on a daily basis and should have known that there was a risk that contravention could occur unless reasonable steps were taken, particularly as some of the ‘Data Devices Destroyed’ certificates issued before January 2011 stated that the hard drives had been ‘wiped/destroyed/recycled’. This project should have been afforded the highest level of security.
Likely to cause damage or distress Data subjects are likely to have suffered substantial distress knowing that their personal data has been retrieved by a member of the public and might have been offered for sale to unauthorised third parties. They could also be concerned that their data might be further disseminated.

BW Observations

This case is very similar to the Brighton and Sussex University Hospitals NHS Trust case, although here NHS Surrey moved quickly to rectify the problem and didn’t compound the problem by its own actions. In the MPN the ICO made an indirect reference to the Brighton and Sussex case but levied only 60% of the penalty (£200K vs £325K) on NHS Surrey for losing a around 60% more disks (1,570 vs 1,000).

North Staffordshire Combined Healthcare NHS Trust

Breach details

What Sensitive personal data (medical) faxed to an incorrect recipient.
How much 3 records.
When August and September 2011
Why Three faxes containing just about every category of sensitive personal data were sent to the wrong recipient. This breach of confidentiality occurred despite the trust having both a secure fax environment and appropriate procedures in place which included call-ahead and a requirement to use pre-programmed destinations. The breach occurred because members of staff were unfamiliar with the policy, so didn’t call ahead and manually dialled the (wrong) recipient’s number.

Regulatory action

Regulator ICO
Action Monetary penalty of £55,000
When 11 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the trust had insufficient management controls and did not provide the appropriate training for the staff.
Known or should have known The trust was aware that there was risks sending information by fax because it had introduced the safe haven and best practice. It should have known that the best practice guidelines needed to be backed up by training and management controls.
Likely to cause damage or distress The Commissioner’s usual argument that the data subjects, some of who were vulnerable adults, may have suffered distress knowing that their medical data had been read by an unauthorised third party.

Glasgow City Council

Breach details

What Personal data, including some bank account details, on two stolen unencrypted laptops.
How much At least 20,143 records.
When 28 May 2012
Why Two unencrypted laptops were stolen from an office in the process of being refurbished. Employee 1 had locked up her laptop and left the key in Employee 2’s drawer. Employee 2 put his laptop in his storage drawer but failed to lock it. Both laptops were stolen. Employee 2’s laptop contained the council’s creditor payment history file, including 20,143 personal names ad addresses and 6,069 bank account details.
About 74 other unencrypted laptops are unaccounted for, of which six are known to have been stolen.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 04 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate technical measures to prevent the loss of personal data from laptops, such as implementing port control and encrypting laptops.
Known or should have known In spite of enforcement action taken against the Council in 2010 concerning failings related to unencrypted laptops, unencrypted laptops were still in use in 2012, in breach of the Council’s own policy. It should have been obvious the risks were increased by the physical insecurity of the offices undergoing refurbishment. The Commissioner also highlighted his own well-known guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress As usual, the Commissioner’s argument is that data subjects are likely to have suffered from substantial distress knowing that their personal data may be disclosed to third parties who have no right to see that information. Additionally if the data is disclosed to ‘untrustworthy third parties’ there is the potential that the data subjects may be exposed to identity theft.

Halton Borough Council

Breach details

What Details of adoptive parents accidentally disclosed to birth parents.
How much 1 record.
When 25 May 2012
Why An employee mistakenly included the address of a child’s adoptive parents in a ‘letterbox’ letter to the birth mother. The birth mother passed the address on to her own parents, who wrote to the adoptive parents seeking contact with the child. The grandparents then made an application to the Court for direct contact with their grandchild, which was refused following two hearings, and the grandparents had to undertake only to use the Council’s ‘letterbox’ procedure for contact.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures to prevent accidental disclosure, such as implementing a peer-checking process and a clear checklist of requirements.
Known or should have known Because of the very nature of the ‘letterbox’ process which was designed to protect the identities of adoptive and birth parents, the council should have known that this type of issue was a risk, and that a breach of confidentiality would cause ‘substantial distress’. The council should therefore have taken steps to prevent the problem arising.
Likely to cause damage or distress This contravention was of a kind likely to cause substantial distress and on this occasion resulted in what a court deemed to be ‘inappropriate contact’.

–>

Stockport Primary Care Trust

Breach details

What Patient identifiable data was left in a decommissioned building.
How much About 1000 records, including 200 containing highly sensitive personal data.
When 2010-2011
Why Boxes of paper records were left in a decommissioned building, in full view of prospective purchasers of the building. The eventual purchaser opened the boxes and discovered the information, some relating to people known by the purchaser.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against the accidental loss of 1,000 documents, some of them containing sensitive personal data.
Known or should have known The NHS trust was used to handling sensitive personal data and would have known such information was stored on the site but did not take ‘reasonable steps’ to safeguard the data such has having a decommissioning policy.
Likely to cause damage or distress There was the potential for substantial distress as data subjects would know that their sensitive personal data had been accessed by an unauthorised party and that the data might be further disseminated. This was exacerbated as some data subjects were known to the data controller.

Nursing and Midwifery Council

Breach details

What Loss of sensitive personal data (medical and details relating to legal proceedings).
How much Unspecified but small number of records including two vulnerable children’s details. Details and allegations against a medical practitioner.
When 07 October 2011
Why In an echo of the infamous HMRC breach of 2007, three DVDs containing unencrypted data relating to a ‘fitness to practice hearing’ went missing somewhere between the Nursing and Midwifery Council’s offices and the hotel where the hearing was due to take place. Although the package was sent by courier, the data on the DVDs was unencrypted.

BW Comments

Two of the fundamental lesons that every Data Controller should have learned from the HMRC breach were:

  1. Always use couriers when sending personal data on physical media.
  2. Always encrypt data on physical media such as CDs or DVDs.

Although the Nursing and Midwifery Council use a courier, the sensitive personal data was not encrypted. As soon as anything went wrong, enforcement action was bound to follow.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 12 February 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against unauthorised processing of personal data, such as encrypting the data on the DVDs.
Known or should have known The Council was used to dealing with sensitive data and was aware of the potential damage release of the data would cause. The Commissioner also highlighted his own guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress The DVDs contained the medical information of third parties, including two vulnerable children. The Commissioner repeated his usual argument that data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may be further disseminated and possibly misused.

BW Observations

Receiving the report of DVDs that appeared to go missing between a sender and recipient will have caused a stressful outbreak of déjà vu in Wilmslow. Although the data lost related to very few individuals, the sensitivity of the data had a bearing on the amount of the penalty. Organisations should be under no illusions that sending any unencrypted personal data on physical media will attract a monetary penalty.