Phoenix Nursery School

What

Loss of sensitive personal data.

How much

Unknown.

Why

A backup tape and supporting device containing details of pupils, parents and guardians was lost.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that in the future all personal data is encrypted to a sufficient standard and that current operational procedures are reviewed and revised.

Reason for action

While the backup tape did not appear to have been stolen, it could not be located. The data controller contacted all parents and guardians effected by the incident to advise them accordingly. However although the data on the device was recovered in full, the Commissioner’s investigation revealed that the technical measures employed by the school were inadequate.

When

16 November 2011.

Links

View PDF of the Phoenix Nursery School Undertaking (Via ICO Website)

View PDF of the Phoenix Nursery School Undertaking (Breach Watch Archive)

Spectrum Housing Group

What

Personal data relating to employees accidently sent to an outside recipient.

How much

200 records.

Why

Records accidently sent to an outside recipient due to the data controllers’ e-mail system automatically predicting the intended recipient based on previous sent messages.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that personal data will only be sent by email when necessary. Data should be made secure and staff should be made aware of company policies.

Reason for action

Insufficient measures were taken to prevent an accidental loss of unsecured personal information.

When

19 October 2011.

Links

View PDF of the Spectrum Housing Group Undertaking (Via ICO Website)

View PDF of the Spectrum Housing Group Undertaking (Breach Watch Archive)

Association of School and College Leaders

What

Loss of sensitive personal data.

How much

100 records.

Why

Theft of unencrypted laptop from staff member’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are encrypted.

Reason for action

Although encryption software was provided, whether or not to use it was left to the discretion of staff members.

When

05 October 2011.

Links

View PDF of the Association of School and College Leaders Undertaking (Via ICO Website)

View PDF of the Association of School and College Leaders Undertaking (Breach Watch Archive)

Holly Park School

What

Loss of sensitive personal data.

How much

Nine records.

Why

Theft of an unencrypted laptop from school premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are encrypted and are kept physically secure.

Reason for action

Although the laptop was kept in a locked filling cabinet the office it was housed in was not locked.

When

05 October 2011.

Links

View PDF of the Holly Park School Undertaking (Via ICO Website)

View PDF of the Holly Park School Undertaking (Breach Watch Archive)

Lush Cosmetics

What

Compromise of credit card details.

How much

5,000 records.

Why

Malicious website intrusion.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the website is subject to continued penetration testing and kept to an appropriate level of security.

Reason for action

Security measures in place were deemed insufficient to prevent a determined attack.

When

09 August 2011.

Links

View PDF of the Lush Cosmetics Undertaking (Via ICO Website)

View PDF of the Lush Cosmetics Undertaking (Breach Watch Archive)

HCA international Limited

What

Loss of sensitive personal data.

How much

Unknown.

Why

Theft of an unencrypted laptop from one of the group’s hospitals.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient standard encryption is used and physical security is upgraded.

Reason for action

  • Laptop containing the data was unencrypted.
  • Physical security of the laptop was deemed insufficient to prevent theft.

When

05 August 2011.

Links

View PDF of the HCA International Limited Undertaking (Via ICO Website)

View PDF of the HCA International Limited Undertaking (Breach Watch Archive)

Ms Raisa Saley, barrister at law

What

Loss of sensitive personal data.

How much

“Considerable”

Why

Loss of a bundle of legal papers while commuting by train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that personal data would not be taken off site unless strictly necessary and that records are kept secure.

Reason for action

The records were taken off-site in an unlocked suitcase, which was then lost.

When

05 July 2011.

Links

View PDF of the Ms Raisa Saley Undertaking (Via ICO Website)

View PDF of the Ms Raisa Saley Undertaking (Breach Watch Archive)

Cherubs Community Playgroup

What

Loss of sensitive personal data.

How much

47 records.

Why

Theft of an unencrypted laptop from the premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops containing sensitive personal information are encrypted and sufficient physical security measures are implemented.

Reason for action

The playgroup’s premises were located in a publically used building and security measures were only implemented during playgroup hours.

When

28 June 2011.

Links

View PDF of the Cherubs Community Playgroup Undertaking (Via ICO Website)

View PDF of the Cherubs Community Playgroup Undertaking (Breach Watch Archive)

Internet Eyes Limited

What

Loss of personal data.

How much

One record.

Why

A short video from the data controller’s security feed was posted on YouTube in which an individual was clearly recognisable.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that  the transmission of data is sufficiently secure, and that an audit trail is implemented for all users.

Reason for action

The video stream of security footage across the internet was not encrypted and due to the lack of an audit trail it was impossible to determine how the video had been posted.

When

14 June 2011.

Links

View PDF of the Internet Eyes Limited Undertaking (Via ICO Website)

View PDF of the Internet Eyes Limited Undertaking (Breach Watch Archive)

Asperger’s Children & Carers Together (ACCT)

What

Loss of sensitive personal data

How much

Unknown.

Why

Theft of an unencrypted laptop from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted

Reason for action

The stolen laptop was unencrypted and investigation revealed that the data controller’s policies and procedures did not fully comply with the Act’s requirements.

When

27 May 2011.

Links

View PDF of the Asperger’s Children & Carers Together Undertaking (Via ICO Website)

View PDF of the Asperger’s Children & Carers Together Undertaking (Breach Watch Archive)