Category Archives: Public sector

Hounslow Council

Posted on by

Breach details

What Loss of sensitive personal information.
How much 698 records.
When 2010
Why Theft of unencrypted laptop from staff member’s home. There was no written contract in place with Ealing Council who processed the data.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 8 February 2011

Why the regulator acted

Breach of act Theft of unencrypted laptop.
Inappropriate organisational and technical measures.
Known or should have known There were no policies requiring the encryption of laptops and the data processors policies were not monitored, despite the data controller having their own Information Security Policy.
Likely to cause damage or distress Personal information of clients.

Links

View PDF of the Hounslow Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Hounslow Council Monetary Penalty Notice (Via ICO Website)

NHS Blood and Transplant

Posted on by

What

Loss of sensitive personal information.

How much

444,031 records

Why

Organ donation preferences were recorded incorrectly due to a software error.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data must be routinely checked for accuracy.

Reason for action

The software error had been introduced into the system early in 1999 and had not been uncovered in the years that followed due to a lack of data checks.

When

21 January 2011

Links

View PDF of the NHS Blood and Transplant Undertaking (Via ICO Website)

View PDF of the NHS Blood and Transplant Undertaking (Breach Watch Archive)

Scottish Court Service

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Court documents were discovered at a recycling centre, inappropriately disposed of.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

The papers had been given to a law reporter, but no checks had been made regarding the security of his procedures prior to sharing the data.

When

05 January 2011

Links

View PDF of the Scottish Court Service Undertaking (Via ICO Website)

View PDF of the Scottish Court Service Undertaking (Breach Watch Archive)

Hertfordshire County Council

Posted on by

Breach details

What Loss of highly sensitive personal information by fax.
How much 47 records.
When 11 June 2010
Why Two faxes were sent to the wrong recipients.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 22 November 2010

Why the regulator acted

Breach of act Faxes sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known The ICOs advice on faxing protocols after the first incident were ignored, but the risk had been made clear.
Likely to cause damage or distress Data relating to vulnerable children.

Links

View PDF of the Hertfordshire County Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Hertfordshire County Council Monetary Penalty Notice (Via ICO Website)

Stoke-on-Trent City Council

Posted on by

What

Loss of sensitive personal information.

How much

40 records.

Why

An unencrypted memory stick containing social service records for 40 children was found by a member of the public. The memory stick was not password protected either.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

Although there was a legitimate reason for the data to be on a memory stick the one used was not an approved encrypted device.

When

22 November 2010

Links

View PDF of the Stoke-on-Trent City Council Undertaking (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Undertaking (Breach Watch Archive)

Independent Parliamentary Standards Authority (IPSA)

Posted on by

What

Potential loss of personal data.

How much

332 records.

Why

An internal database was left insecure for a period of about 21 hours following IT maintenance.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that appropriate changes are made to the records system to prevent any future errors.

Reason for action

A mistake made during IT maintenance made personal records visible to all MPs and their nominated staff who had access to the internal system.

When

12 November 2010

Links

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Via ICO Website)

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Breach Watch Archive)

Portsmouth City Council

Posted on by

What

Inappropriate disclosure of personal information.

How much

One record.

Why

Third-party data related to an individual was inappropriately released due to a SAR request.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all individuals dealing with SARS receive sufficient training and guidance.

Reason for action

It transpired that the individual tasked with redacting data for this type of request was neither an employee of the data controller nor acting under process as a data processor. It was also revealed the guidance and checking of these processes was inadequate.

When

19 October 2010

Links

View PDF of the Portsmouth City Council Undertaking (Via ICO Website)

View PDF of the Portsmouth City Council Undertaking (Breach Watch Archive)

Lord Chief Justice of Northern Ireland

Posted on by

What

Inappropriate disclosure of personal information.

How much

One record.

Why

A document containing an individual’s name and address was inadvertently attached to an email and sent to over three hundred individuals.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and are appropriately trained in procedures for distributing emails and adequate checks are carried out.

Reason for action

Although staff had received advice and training on data protection issues in general there was no written guidance or instructions on how to deal with this type of work.

When

19 October 2010

Links

View PDF of the Lord Chief Justice of Northern Ireland Undertaking (Via ICO Website)

View PDF of the Lord Chief Justice of Northern Ireland Undertaking (Breach Watch Archive)

North West London Hospitals NHS Trust

Posted on by

What

Loss of sensitive personal information .

How much

56 records.

Why

A computer printout containing patient information was left in a general folder used for auditing that was accidently left on a tube train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that psuedonymisation techniques are used where individual identification of patients is needed for audit work.

Reason for action

Although much audit work is carried out at home there was no need for this computer print out to contain the genuine identities of patients.

When

14 October 2010

Links

View PDF of the North West London Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the North West London Hospitals NHS Trust Undertaking (Breach Watch Archive)

Forth Valley NHS Board

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

An unencrypted and non-password protected memory stick containing sensitive personal data was handing in to a newspaper.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any board issued portable media devices are sufficiently encrypted and that sufficient physical security measures are taken.

Reason for action

It was unclear how the memory stick ended up in the possession of the Newspaper, but it was unencrypted and not password protected.

When

30 September 2010

Links

View PDF of the Forth Valley NHS Board Undertaking (Via ICO Website)

View PDF of the Forth Valley NHS Board Undertaking (Breach Watch Archive)