Jubilee Managing Agency Ltd

What
Loss of personal data.

How much
Around 2,100 records.

Why
An unencrypted disc containing personal data was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Personal data must not be kept any longer than absolutely necessary. Written data protection procedures must adopted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The disc was unencrypted and contained data relating to policies which had expired, or been cancelled, in some cases over 10 years ago. An investigation revealed that staff had insufficient internal training.

When
23 June 2009

Links
View PDF of the Jubilee Managing Agency Ltd Undertaking (Breach Watch Archive)

Chelsea & Westminster Hospital

What
Loss of sensitive personal data.

How much
143 records.

Why
An unencrypted memory stick containing patient information was stolen from an unattended and unlocked office being used for a walk in clinic.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The disc was not encrypted and in fact was not even password protected The employee was not aware that secure network drive and encryption facilities were available and had used a personal memory stick since Trust equipment was not available.

When
2 June 2009

Links
View PDF of the Chelsea & Westminster Hospital Undertaking (Breach Watch Archive)

Amicus Legal Ltd

What
Loss of personal data.

How much
100,000 records.

Why
An unencrypted laptop containing personal data was stolen from the locked hotel room of a contracted consultent.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. Any data held on portable media must be encrypted. All staff must be made aware of this policy, including contracted consultants.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the transfer of the data in question on to a privately owned and unencrypted personal laptop.

When
28 May 2009

Links
View PDF of the Amicus Legal Ltd Undertaking (Breach Watch Archive)

First Response Finance Ltd

What
Loss of personal data.

How much
One record.

Why
The data controller was attempting to establish the current employment of an individual, for the purpose of an application to the Court for an Attachment of Earnings order. The fax which was brought to a District Judge’s attention contained questions asking for personal data which were irrelevant and execisve for the purpose.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that personal data is processed in accordance with the Act and in particular the First and Third Principles.

Reason for action
The data controller was asking for personal data without any necessity to do so.

When
11 May 2009

Links
View PDF of the First Response Finance Ltd Undertaking (Breach Watch Archive)

Virgin Media Limited

What
Loss of personal data.

How much
3,383 records.

Why
An unencrypted compact disc containing the personal data of 3,383 customers passed on to the data controller by Carphone Warhouse was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that media devices used to transport and store personal data are encrypted and that any contracts between the data controller and any data processors require this.

Reason for action
The lost CD was unencrypted and the arrangement between the data controller and data processor was insufficient.

When
17 September 2008

Links
View PDF of the Virgin Media Limited Undertaking (Breach Watch Archive)

Merchant Securities Group

What

No breach.

How much

None.

Why

FSA thematic visit.

Regulator

FSA

Regulatory action

Monetary penalty – £77,000

Reason for action

  • Inadequate risk assessment.
  • Poor control over backup media.

When

13 June 2008

Links

View the press release relating to Merchant Securities Group on the FSA website

View PDF of the Merchant Securities Group Final Notice (via FSA website)

View PDF of the Merchant Securities Group Final Notice (Breachwatch archive)

Shirley (Warwickshire) Royal British Legion Club Ltd

What
Unspecified breach of the Seventh Data Protection Principle.

How much
Unknown.

Why
Unknown.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that personal data is processed in accordance with the Seventh Data Protection Principle in Schedule 1 Part 1 of the Act.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
20 March 2008

Links
View PDF of the Shirley (Warwickshire) Royal British Legion Club Ltd Undertaking (Breach Watch Archive)

Skipton Financial Services Limited

What
Inappropriate processing of personal data

How much
Unknown.

Why
An unencrypted laptop computer was stolen from Moore Stephens Consulting, who had been engaged to provide professional consultancy services to SFS in relationship to a software development project.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that sensitive personal data must be encrypted. Risk assessments must be carried out to confirm the adequacy and effectiveness of technical and organisational security measures, including those taken by third parties.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
18 February 2008

Links
View PDF of the Skipton Financial Services Limited Undertaking (Breach Watch Archive)

Norwich Union Life

What

  • Disclosure of personal information to fraudsters.
  • Fraudulent policy surrender

How much

  • 632 records
  • 74 records

Why

Telephone based fraudsters used publically available information (name, DoB etc) to impersonate customers and gain access to accounts.

Regulator

FSA

Regulatory action

Monetary penalty – £1,260,000

Reason for action

Aware of threat but took inadequate countermeasures except in case of Aviva group directors.

When

17 December 2007

Links

View the press release relating to Norwich Union Life on the FSA website

View PDF of the Norwich Union Life Final Notice (via FSA website)

View PDF of the Norwich Union Life Final Notice (Breachwatch archive)

Orange Personal Communications Services Limited

What
Loss of personal data

How much
A number of records.

Why
Members of staff who had recently commenced working for the company were allowed to share user names and passwords to access company computer systems holding the personal data of Orange customers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the sharing of user names and passwords by Customer Service Representatives, to access computer systems, shall not be allowed under any circumstances.

Reason for action
The ICO had received a complaint about the sharing of user names and passwords by Customer Service Representatives.

When
23 May 2007

Links
View PDF of the Orange Personal Communications Services Limited Undertaking (Breach Watch Archive)