Category Archives: ICO monetary penalty

Torbay Care Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much 1,373 records.
When April 2011
Why Sensitive personal information relating to 1,373 employees was published on the Trust’s website in an excel spreadsheet intended to display equality and diversity metrics. This information was publicly available for over 19 weeks.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000
When 6 August 2012

Why the regulator acted

Breach of act Staff received no guidance as to what information should not be published. No checking processes were in place to prevent excessive information being published.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees and should have recognised the potential for human error when uploading data to its website in the absence of appropriate security measures.
Likely to cause damage or distress Financial and Medical data. May have been accessed by untrustworthy third parties.

Links

View PDF of the Torbay Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Torbay Care Trust Monetary Penalty Notice (Via ICO Website)

St George’s Healthcare NHS Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much Two records.
When 2011
Why Two letters containing confidential and highly sensitive personal data, relating to the subject’s medical condition, were sent to the wrong address, at which the subject had resided at 5 years previous. The patient’s current address had been provided when the patient was first referred to the data controller for a medical examination. It was also logged into the NHS SPINE, which was not aligned with iClip, the local patient administrative program. Staff involved with compiling the incorrectly addressed letters had received iClip training and were aware that addresses were not always in sync with SPINE, but no verbal checks of the data subject’s address were made.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 12 July 2012

Why the regulator acted

Breach of act Staff were not trained in the importance of checking names and addresses and the PDS function on iClip could be bypassed.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases and it was known that many staff found the iClip system difficult to use and tended to bypass or disable the PDS.
Likely to cause damage or distress Medical data.

Links

View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Via ICO Website)

Welcome Financial Services Limited

Posted on by

Breach details

What Loss of personal data.
How much Approximately 2 million records.
When 7 November 2011
Why Backup tapes of Shopacheck’s LAN were transported back and forth between the network site and an offsite storage room. On the 23rd of November 2011 it was discovered that two of these tapes, containing personal data, of millions of individuals were missing.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 5 July 2012

Why the regulator acted

Breach of act Unencrypted tapes were lost, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known Data controller was aware of the possible consequences of the tapes going missing, since policies were in place requiring encryption.
Likely to cause damage or distress Financial information of customers.

Links

View PDF of the Welcome Financial Services Limited Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Welcome Financial Services Limited Monetary Penalty Notice (Via ICO Website)

Belfast Health and Social Care Trust

Posted on by

Breach details

What Loss of sensitive personal data.
How much About 10,000 records.
When May 2010
Why Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 225,000
When 19 June 2012

Why the regulator acted

Breach of act Site was insufficiently secure to prevent intrusion.
Inappropriate organisational and technical measures.
Known or should have known The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.
Likely to cause damage or distress Medical records and financial data of employees.

Links

View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Belfast Health and Social Care Trust Monetary Penalty Notice (Via ICO Website)

Telford & Wrekin Council

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal data.
How much Two records over two incidents.
When 31 March 2011
Why On the first occasion a Social Worker sent a Social Care Core Assessment report to the child’s sibling instead of the mother. A second incident was reported by the Council to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother, in this incident the authority decided to move the children to a different foster carer.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 6 June 2012

Why the regulator acted

Breach of act There was no formal checking process in place to prevent documents being sent to the wrong recipients . Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases on a daily basis and were aware of the sensitivity of the data being handled. Two separate incidents occurred in 2 months.
Likely to cause damage or distress Data relating to vulnerable child in foster care.

Links

View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Via ICO Website)

Brighton and Sussex University Hospitals NHS Trust

Posted on by

Breach details

What Loss of sensitive personal information.
How much 79,000 records.
When March 2008
Why Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 325,000
When 1 June 2012

Why the regulator acted

Breach of act Failure to select a data processor able to provide gurantees of technical security – loss of hard drives.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress Medical Data of Patients.

Links

View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Via ICO Website)
View the Brighton and Sussex University Hospitals response to the penalty (external archive)

Central London Community Healthcare NHS Trust

Posted on by

Breach details

What Inappropriate disclosure of sensitive personal data.
How much 59 records.
When 28 March 2011
Why On 45 occasions over a number of weeks inpatient lists were accidentally faxed to a member of the public, when it was believed they were bring faxed to the appropriate number. Procedures were in place to confirm the arrival of faxed lists, however miscommunication meant that only one reception of the lists was being confirmed, while a second fax number actually belonged to a member of the public.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 21 May 2012

Why the regulator acted

Breach of act Inpatient lists faxed to incorrect recipients. Lack of sufficient policies to prevent such an event. Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with impatient data and were aware of its sensitivity, hence having fax protocols.
Likely to cause damage or distress Medical data of patients.

BW Observations

This was the first Monetary Penalty Notice to be appealed to the Information Tribunal. The appeal was heard in December 2012 and the decision released on 15 Jan 2013. The appeal was rejected.

Links

View PDF of the Central London Community Healthcare NHS Trust Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Central London Community Healthcare NHS Trust Monetary Penalty Notice (Via ICO Website)
View PDF of the Information Tribunal Decision.
An analysis of the tribunal decision at the Panopticon blog. (Interestingly barristers from 11KBW acted for both the Commissioner and the Trust)

London Borough of Barnet

Posted on by

Breach details

What Loss of sensitive personal information.
How much 15 records.
When 23 April 2011
Why Paper records relating to vulnerable children were stolen from a social worker’s home. Although it was accepted that the paper records needed to be taken home and that there was a policy in place to cover it, it was felt that the policy did not address the risk identified by this security breach.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 15 May 2012

Why the regulator acted

Breach of act Loss of paper records.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitive nature of the data they dealt with and that it was often necessary for paper records to be taken out of the office.
Likely to cause damage or distress Data relating to child exploitation.

Links

View PDF of the London Borough of Barnet Monetary Penalty Notice (Breach Watch Archive)
View PDF of the London Borough of Barnet Monetary Penalty Notice (Via ICO Website)

Aneurin Bevan Health Board

Posted on by

Breach details

What Loss of sensitive personal data.
How much One records.
When 24 March 2011
Why A secretary accidentally sent a letter containing sensitive personal information to the wrong person. The correct patient’s surname had been spelt two different ways by a doctor and the letter lacked any other identifiers, and the secretary accidently chose the wrong record from the electronic patient record system.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that the checking processes to confirm patient identity prior to issuing correspondence, recommended by an internal investigation, must immediately be adopted across all the data controller’s sites.
When 30 April 2012

Why the regulator acted

Breach of act Letter sent to the wrong recipient. Letters should not be dispatched without being checked by management.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with sensitive data, but management allowed secretaries to simply rely on the electronic system rather than double checking.
Likely to cause damage or distress Medical data.

Links

View PDF of the Aneurin Bevan Health Board Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Aneurin Bevan Health Board Monetary Penalty Notice (Via ICO Website)
View PDF of the Aneurin Bevan Health Board Undertaking (Breach Watch Archive)
View PDF of the Aneurin Bevan Health Board Undertaking (Via ICO Website)

The Lancaster Constabulary

Posted on by

Breach details

What Loss of sensitive personal data.
How much “Several” records.
When 17 July 2011
Why xxx.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that hard copy documentation contains the minimum amount of personal data necessary and is only taken out of the station when absolutely necessary. A written policy detailing these responsibilities must be produced and staff must be trained in these policies.
When 14 March 2012

Why the regulator acted

Breach of act Report lost and printed in a newspaper. Inappropriate organisational and technical measures.
Known or should have known Policies in place marked such data as highly sensitive, but no policies were in place to cover security outside of the station.
Likely to cause damage or distress Report related to vulnerable children and sex crimes.

Links

View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Breach Watch Archive)
View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Via ICO Website)
View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Breach Watch Archive)
View PDF of the The Lancaster Constabulary Monetary Penalty Notice (Via ICO Website)