Littlewoods Shop Direct Home Shopping Limited

What
Inappropriate processing of personal data.

How much
Unknown.

Why
The ICO received a complaint from a customer of the data controller who complained that they continued processing her personal data for the purpose of direct marketing despite a written notice to the contrary.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the personal details of the data subject are suppressed from all company databases to ensure that she will not receive any further marketing material from the data controller. The data controller must also review procedures currently in place to ensure that customers rights under Section 11 of the Act are upheld.

Reason for action
The data controller was continuing to the process the subject’s data, in violation of her rights.

When
21 May 2007

Links
View PDF of the Littlewoods Shop Direct Home Shopping Limited Undertaking (Breach Watch Archive)

Phones 4U Ltd

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from a refuse bin outside the Phones 4U premises in Market Way, Coventry, and Regent Street, Swindon. The information included documentation showing customer names and addresses, and bank account details.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all paper waste generated is to be treated as confidential and shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
17 May 2007

Links
View PDF of the Phones 4U Ltd Undertaking (Breach Watch Archive)

Dipesh Limited (Trading as Cash Generator)

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from a refuse bin outside the Cash Generator premises in Bridge Street, Nuneaton, including correspondence showing customer names and addresses.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all paper waste generated is to be treated as confidential and shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
23 April 2007

Links
View PDF of the Dipesh Limited (Trading as Cash Generator) Undertaking (Breach Watch Archive)

The Royal Bank of Scotland plc

What
Loss of personal data

How much
23 records.

Why
Items of personal data were recovered from refuse bins outside branches in Fareham, Manchester, Nottingham and Glasgow, including documents relating to individual accounts and application forms, a private banking form and a photocopy of a customer’s provisional driving license.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to all relevant staff.

Reason for action
The ICO had received complaints about the data controller’s breach of the Seventh Data Protection Principle.

When
23 February 2007

Links

View PDF of the Royal Bank of Scotland plc Undertaking (Breach Watch Archive)

National Westgate Bank plc

What
Loss of personal data

How much
8 records.

Why
Items of personal data were recovered from refuse bins outside branches in Manchester and Southampton, including fax copies of insurance forms, two cut up debit cards and a list of a customers standing orders and direct debits.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of personal data and that appropriate data protection training is given to all relevant employees.

Reason for action
The ICO had received complaints about Westgate Bank’s failure to adhere to the Seventh Data Protection Principle.

When
23 February 2007

Links
View PDF of the National Westgate Bank plc Undertaking (Breach Watch Archive)

HFC Bank Limited

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the Newport Branch of the data controller, including a customer’s loan application form, a collections history printout and other miscellaneous papers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff and they are to be required to complete an online refresher course and test on a regular basis of at least once every two years.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
21 February 2007

Links
View PDF of the HFC Bank Limited Undertaking (Breach Watch Archive)

Nationwide Building Society

What
Loss of personal data

How much
Two records.

Why
Items of personal information were recovered from refuse bins used by the Oldham of Nationwide, including a personal financial review in respect of two individuals and a customer information document.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. A review program to monitor compliance must be devised and implemented by Nationwide. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
20 February 2007

Links
View PDF of the Nationwide Building Society Undertaking (Breach Watch Archive)

Alliance and Leicester plc

What
Loss of personal data

How much
Two records.

Why
Items of personal information were recovered from refuse bins used by the Nottingham of the data controller, including a premier current account application form, a life assurance letter and a credit card application form.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff, who are to be reminded of their obligations relating to customer confidentiality.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle. This was in breach of a policy the data controller had in place.

When
15 February 2007

Links
View PDF of the Alliance and Leicester plc Undertaking (Breach Watch Archive)

Nationwide Building Society

What

Loss of personal data

How much

Not reported, potentially all customers (10+ million)

Why

Theft of unencrypted laptop from staff member’s home.

Regulator

FSA

Regulatory action

Monetary penalty – £980,000

Reason for action

  • Inadequate risk assessment
  • No incident response plan and slow response to theft (3 weeks)
  • Poor staff training and awareness
  • Poor controls

When

14 February 2007

Links

View the press release relating to Nationwide Building Society on the FSA website

View PDF of the Nationwide Building Society Final Notice (via FSA website)

View PDF of the Nationwide Building Society Final Notice (Breachwatch archive)

The Co-operative Bank plc

What
Loss of personal data

How much
Three records.

Why
Items of personal information were recovered from refuse bins used by the Watford of the data controller, including letter from a customer and a motor insurance quote.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies and procedures relating to the disposal of waste containing personal information are updated and strictly adhered. Adequate and relevant data protection training must be given to all staff, including any sub-contractors.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
14 February 2007

Links
View PDF of the Co-operative Bank plc Undertaking (Breach Watch Archive)