Category Archives: ICO undertaking

Basingstoke and Deane Borough Council

Posted on by

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)

E*Trade Securities Ltd.

Posted on by

What

Loss of sensitive personal data.

How much

608 records.

Why

Files containing personal data relating to clients in the Middle East were identified as missing from storage in the UK having been couriered from ETSL-Dubai.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any processing of personal data carried out by a data processor on behalf of the data controller is carried out under a contract made and evidenced in writing and that a detailed record of all personal data couriered internally is kept.

Reason for action

The investigation revealed that the data controller had no contractual agreement “made and evidenced in writing” with their UK data processor, nor had instructions on the security and processing of this personal data provided.

When

03 February 2012.

Links

View PDF of the E*Trade Securities Ltd. Undertaking (Via ICO Website)

View PDF of the E*Trade Securities Ltd. Undertaking (Breach Watch Archive)

Manpower UK Ltd

Posted on by

What

Inappropriate disclosure of personal data.

How much

400 records.

Why

A spreadsheet containing 400 people’s personal details was accidentally email to 60 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of policies regarding the transmission of personal data via email, included the need to password protect or encrypt the data according to the sensitivity of the data and the risk to the data subjects.

Reason for action

The employee had initially believed that the spreadsheet contained only the employee numbers of those 60 staff. However the data was transmitted unsecured over the internet and it could not be confirmed that all recipients had deleted the email as requested

When

20 January 2012.

Links

View PDF of the Manpower UK Ltd Undertaking (Via ICO Website)

View PDF of the Manpower UK Ltd Undertaking (Breach Watch Archive)

Chartered Institute of Public Relations

Posted on by

What

Loss of sensitive personal data.

How much

30 records.

Why

30 Membership forms were lost on a train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a document is created that clearly outlines all employees’ responsibilities in terms of the storage, transmission, use and disposal of personal data. All necessary amendments must be made by 31 January 2012

Reason for action

The organisation did not have a written policy in place for handling personal data outside of the office at the time of incident.

When

18 January 2012.

Links

View PDF of the Chartered Institute of Public Relations Undertaking (Via ICO Website)

View PDF of the Chartered Institute of Public Relations Undertaking (Breach Watch Archive)

Praxis Care Limited

Posted on by

What

Loss of sensitive personal data.

How much

160 records.

Why

An unencrypted USB memory stick used as a backup and transfer device by an employee was lost on the Isle of Man.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all personal media devices used to store or transport personal data are sufficiently encrypted.

Reason for action

The data controller acted swiftly to ascertain exactly what data was on the missing USB stick and appropriate support was provided to the effected subjects, No reports of adverse consequences from the data loss have been received.

When

18 January 2012.

Links

View PDF of the Praxis Care Limited Undertaking (Via ICO Website)

View PDF of the Praxis Care Limited Undertaking (Breach Watch Archive)

Richard Dominic Preston

Posted on by

What

Loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted laptop from the data controller’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store personal data are encrypted to a sufficient standard.

Reason for action

Although much of the data on the laptop would have been in the public domain, it included email correspondence relating to legal cases.

When

06 December 2011.

Links

View PDF of the Richard Dominic Preston Undertaking (Via ICO Website)

View PDF of the Richard Dominic Preston Undertaking (Breach Watch Archive)

Alan M Casson & Associates

Posted on by

What

Loss of sensitive personal data.

How much

8,000 records.

Why

Theft of two unencrypted laptops and back up media during a burglary of premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that physical security measures are sufficient to prevent unauthorised access to persona data and that all portable media devices must be encrypted to a suitable standard.

Reason for action

While the laptops were kept in a locked cupboard and the backup media in a safe (which was stolen) the data controller was in the process of upgrading their security to include encryption, but the theft occurred before this could be put into practice.

When

06 December 2011.

Links

View PDF of the Alan M Casson & Associates Undertaking (Via ICO Website)

View PDF of the Alan M Casson & Associates Undertaking (Breach Watch Archive)

Godalming College

Posted on by

What

Inappropriate disclosure of sensitive personal data.

How much

Unknown.

Why

An email with an attachment containing sensitive personal data was inadvertently sent to lower-sixth form students rather than their tutors. The email was only intended to contain a link to the attachment.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any documents containing personal data relating to students will only be provided to staff on a “need to know” basis and will not, in any event, be transmitted via email unless encrypted.

Reason for action

Although efforts were made to delete or recall the email, some students had already saved or forwarded the attachment and some media publicity resulted.

When

06 December 2011.

Links

View PDF of the Godalming College Undertaking (Via ICO Website)

View PDF of the Godalming College Undertaking (Breach Watch Archive)

London Borough of Southwark

Posted on by

What

Loss of sensitive personal data.

How much

7,200 records.

Why

An unencrypted iMac and paper records were found by a member of the public in a skip being used to cleanse a decommissioned and vacant property that had previously been part of a complex previously owned by the data controller.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will demonstrate adherence to the action plans to deal with the issue that it has presented to the data commissioner and that it will honour its invitation for the ICO to conduct a data protection audit.

Reason for action

Although the Data Controller demonstrated plans to deal with the breach, the iMac had been missing since 2003 and was unencrypted and any member of the public would have been able to remove the data contained on it.

When

21 November 2011.

Links

View PDF of the London Borough of Southwark Undertaking (Via ICO Website)

View PDF of the London Borough of Southwark Undertaking (Breach Watch Archive)

Central Essex Community Services

Posted on by

What

Loss of sensitive personal data.

How much

249 records.

Why

Loss of a birth book from a locked storage room.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient physical security measures are in place for the storage of paper medical records and compliance with these measures are monitored.

Reason for action

The birth book was supposed to be locked in a filing cabinet in accordance with the data controller’s policy, but it was stored on top of the cabinet due to a lack of storage space.

When

21 November 2011.

Links

View PDF of the Central Essex Community Services Undertaking (Via ICO Website)

View PDF of the Central Essex Community Services Undertaking (Breach Watch Archive)