Category Archives: Public sector

City of York Council

Posted on by

What

Loss of sensitive personal information.

How much

One record.

Why

The information was erroneously included with documentation sent to an unrelated third party.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that documentation containing personal data is not printed when there is no need to do so.

Reason for action

The information was mistakenly collected from a shared printer by an employee who failed to check that the documentation was only for their case. A lack of quality control prevented this error from being discovered until it was too late.

When

05 April 2011.

Links

View PDF of the City of York Council Undertaking (Via ICO Website)

View PDF of the City of York Council Undertaking (Breach Watch Archive)

Royal Cornwall Hospitals NHS Trust.

Posted on by

What

Inappropriate disclosure of personal information on two separate occasions.

How much

Two records.

Why

The information was sent out in response to a third party Subject Access Request, inappropriately.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made familiar with procedures and policies relating to Subject Access Requests.

Reason for action

Insufficient training combined with a large volume of subject access requests lead to the error.

When

04 April 2011.

Links

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Breach Watch Archive)

Warrington and Halton Hospitals NHS Trust

Posted on by

What

Loss of sensitive data.

How much

110 records

Why

Theft of an unencrypted laptop from premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the encryption of portable media devices are checked and upheld.

Reason for action

Despite the data controller having a policy in place to ensure that all such devices were encrypted, this laptop had not been, nor had it been identified as a security risk, despite having no other form of protection.

When

01 April 2011.

Links

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Breach Watch Archive)

Wolverhampton City Council

Posted on by

What

Loss of sensitive personal data.

How much

Unknown.

Why

Personal data belonged to the data controller was dumped in a skip, which was later stolen.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the data controller’s policy on the disposal of confidential waste

Reason for action

The data should never have been disposed of in a skip. The data controller had a written contract with a third party for the disposal of confidential waste, but on this occasion there was confusion as to the confidential nature of the waste.

When

15 March 2011.

Links

View PDF of the Wolverhampton City Council Undertaking (Via ICO Website)

View PDF of the Wolverhampton City Council Undertaking (Breach Watch Archive)

Doncaster Metropolitan Borough Council

Posted on by

What

Inappropriate disclosure of personal information.

How much

39 records.

Why

A document containing personal details was provided during court proceedings to the defendant without the appropriate redactions in place.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures for dealing with subject access requests are clearly defined, managed, and checked.

Reason for action

This was the second time such an event had occurred.

When

25 February 2011.

Links

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Breach Watch Archive)

Cambridgeshire County Council

Posted on by

What

Loss of sensitive personal information.

How much

A minimum of six records.

Why

An unencrypted memory stick containing the records was lost by a member of staff.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made fully aware policies related to the encryption of portable media devices.

Reason for action

Employees were issued with encrypted memory sticks, but following a technical difficulty with the encryption function the employee used an unencrypted and unauthorised device.

When

23 February 2011.

Links

View PDF of the Cambridgeshire County Council Undertaking (Via ICO Website)

View PDF of the Cambridgeshire County Council Undertaking (Breach Watch Archive)

Identity and Password Service

Posted on by

What

Loss of sensitive personal information.

How much

21 records.

Why

21 password renewal applications were lost from a particular passport office.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that reasonable steps are taken to ensure the security of data while it is processed.

Reason for action

All those effected were notified and received new passwords without complaint, however the incident demonstrated insufficiently secure processing of personal data

When

21 February 2011.

Links

View PDF of the Isle of Identity and Password Service Undertaking (Via ICO Website)

View PDF of the Isle of Identity and Password Service Undertaking (Breach Watch Archive)

Isle of Anglesey County Council

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Undertaking issued to ensure that any processing of data by another party in carried out under a written contract with instructions regarding security and processing clearly outlined.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The data controller has no written contract in place with the data processor, nor had the controller provided instructions on the security and processing of the data. Both of these violate the Act.

When

18 February 2011.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)

Gwent Police

Posted on by

What

Loss of sensitive personal information.

How much

863 records.

Why

An email containing a spreadsheet intended for 5 police colleagues was accidently forwarded to a website journalist.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The auto-complete function of the email suggested the email address of the journalist and this error was not corrected. Moreover the member of staff was found to have previously displayed a “cavalier” attitude to IT security policies.

When

11 February 2011.

Links

View PDF of the Gwent Police Undertaking (Via ICO Website)

View PDF of the Gwent Police Undertaking (Breach Watch Archive)

Ealing Council

Posted on by

Breach details

What Loss of sensitive personal information.
How much 958 records.
When 2010
Why Theft of two unencrypted laptops (one work-issued, one personal) from a staff member’s home. The employee had been involved in a breach before, but no remedial action was taken. No home working risk assessment undertaken (although this was in policy).

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 08 February 2011

Why the regulator acted

Breach of act Unencrypted tapes were stolen, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known Data controller was aware of the possible consequences of the such an event, since policies were in place requiring home assessment and encryption of laptops. Both these policies were breached.
Likely to cause damage or distress Personal data of clients.

Links

View PDF of the Ealing Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Ealing Council Monetary Penalty Notice (Via ICO Website)