The Children’s Mutual

What

Loss of sensitive personal information.

How much

One record.

Why

An annual account statement was accidently sent to an incorrect address.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff with access to personal data are made aware of policies regarding its storage and use and that regular reports shall be run in order to identify any address mismatches.

Reason for action

Enquiries revealed that the data controller had not implemented adequate reporting procedures to identify these sorts of discrepancies.

When

19 August 2010

Links

View PDF of the Children’s Mutual Undertaking (Via ICO Website)

View PDF of the Children’s Mutual Undertaking (Breach Watch Archive)

Direct Response Security Systems

What

Breach of the Privacy and Electronic Communications Act

How much

Why

Making of unsolicited marketing calls.

Regulator

ICO

Regulatory action

Enforcement notice issued to ensure that the numbers of any subscribers who have declared that they do not wish to receive marketing calls are suppressed and that a line data is checked against the TPS list every 28 days.

Reason for action

Each of the individuals who complained about the calls from Direct Response Security Systems Limited had already stated that they did not wish to receive such calls, yet continued to receive them.

When

19 August 2010

Links

View the Direct Response Security Systems Enforcement Notice (Via ICO Website) 

Lampeter Medical Practice

What
Loss of personal data.

How much
8,000 records.

Why
Loss of an unencrypted memory stick that was posted by recorded delivery.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that any portable media devices used to store data are sufficiently encrypted and that physical security measures are put in place to prevent unauthorised access to physical data, particularly in respect to the unauthorised use of memory sticks.

Reason for action
A practical database was downloaded, without authorisation onto an unencrypted and non password protected memory stick

When
26 May 2010

Links
View PDF of the Lampeter Medical Practice Undertaking (Via ICO Website)

View PDF of the Lampeter Medical Practice Undertaking (Breach Watch Archive)

NCL (Bahamas) Ltd

What
Loss of personal data.

How much
80 records.

Why
A computer printout containing payroll information relating to the data controller’s UK employees was believed to have been stolen during an office move.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are at all times adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data. Adequate provision must be made for the secure transfer of personal data and procedures for this must be communicated to all staff, including removal contractors, in advance of any future office move or reorganisation.

Reason for action
The records were believed to have been stolen and were not suitably secure.

When
26 April 2010

Links
View PDF of the NCL (Bahamas) Ltd Undertaking (Breach Watch Archive)

South Yorkshire Pensions Authority

What
Loss of personal data.

How much
9,140 records.

Why
An unencrypted cd containing personal data relating to 9,140 pension scheme members was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The cd was being used as a working copy by administrative staff in the office environment and there was no indication it had been stolen. It had been created to provide staff easy access to data without full consideration of data security implications.

When
22 April 2010

Links
View PDF of the South Yorkshire Pensions Authority Undertaking (Breach Watch Archive)

The Royal London Mutual Insurance Society Ltd

What
Loss of personal data.

How much
2,135 records.

Why
18 laptops were lost or stolen from the data controller’s Edinburgh offices, two of which were unencrypted and contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
An internal investigation revealed that the data controller was uncertain of the precise location of these laptops at any given time. Physical security was insufficient and managers were unaware that the two laptops contained personal data.

When
16 March 2010

Links
View PDF of the Royal London Mutual Insurance Society Ltd Undertaking (Breach Watch Archive)

Redstone Mortgages Ltd

What
Loss of personal data.

How much
15,333 records.

Why
15,333 mortgage records were emailed to a member of the public by accident.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all reports containing personal data are suitably password protected and that this provision in entered into any contracts between the data controller and any data processors acting on its behalf.

Reason for action
The data was being transmitted to the data controller’s head office and several other recipients as part of a monthly analysis report. One of the recipients used an email address that was similar to a member of the public’s, which was mistakenly entered. The data was not encrypted or password protected.

When
19 February 2010

Links
View PDF of the Redstone Mortgages Ltd Undertaking (Breach Watch Archive)

Alzheimer’s Society

What
Loss of sensitive personal data.

How much
Approximately 1,000 records.

Why
Several unencrypted laptop computers, one of which contained personal data, were stolen from the data controller’s Cardiff Office during a burglary.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptops had been returned to the office for encryption, but this had not yet taken place when the theft occurred. The laptops were neither physically secured by cable locks, nor locked away securely. This was the third data security incident reported to the Commissioner during 2009. It was also revealed that staff did not receive any formal data protection training.

When
1 February 2010

Links
View PDF of the Alzheimer’s Society Undertaking (Breach Watch Archive)

The Association of Teachers and Lecturers

What
Loss of sensitive personal data.

How much
Approximately 6,282 records.

Why
An unencrypted laptop computer and memory stick were lost or stolen from a roadside vehicle as an ATL staff member was packing his car.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff will be prohibited from storing data on personal memory sticks. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptop was the property of ATL and contained sensitive personal data relating to some 6,282 union members. The memory stick was personally owned by the member of staff and contained duplicates of 3,366 of the laptop records.

When
14 January 2010

Links
View PDF of the Association of Teachers and Lecturers Undertaking (Breach Watch Archive)

Bellgrange Mortgages & Insurance Services Ltd

What
Loss of sensitive personal data.

How much
A number of records.

Why
Paper documents containing client details were inappropriately disposed of in waste bins intended for the use of local residents.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The documents were left in the waste bins overnight prior to their collection by the waste disposal contractor. Following their discovery the documents were either returned to Bellgrange or destroyed.

When
9 December 2009

Links
View PDF of the Bellgrange Mortgages & Insurance Services Ltd Undertaking (Breach Watch Archive)