Category Archives: Public sector

Cardiff and Vale University Health Board

Posted on by

Breach details

What Loss of a bag containing sensitive personal data including a mental health act tribunal report, a solicitor’s letter, and five CV’s.
How much Documents relating to at least seven individuals.
When 26 November 2012.
Why A consultant psychiatrist lost their bag containing these documents when cycling home from the office. The documents were necessary for the consultant to work outside of the office environment, but although other more secure means of transporting the data or remote server access were available they were not communicated clearly to staff. The individual also did not receive induction training (including on data protection) until after the incident had occurred.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 04 October 2013.
Details The Health Board is to immediately implement a security policy concerning the removal and security of data off site and provide training to all staff in how to follow it, as well as mandatory training on data protection. Assessments are also to be made on the suitability of an individual working from home and appropriate arrangements made. Finally, a protective marking scheme is to be introduced.

Links

View PDF of the Cardiff and Vale University Health Board Undertaking (Breach Watch Archive)
View PDF of the Cardiff and Vale University Health Board Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment in March 2014 (published on 16 June).
View PDF of the Cardiff and Vale University Health Board Undertaking Follow Up (Breach Watch Archive)
View PDF of the Cardiff and Vale University Health Board Undertaking Follow Up (Via ICO Website)

Luton Borough Council

Posted on by

Breach details

What Personal data including information on the health and ethnicity of the data subjects.
How much Two cases.
When December 2012 and January 2013.
Why Two separate incidents involved incorrect handling of personal data by social work staff. In the first case an email containing personal information about a family was sent across an unsecured internet connection and also sent to an agency unconnected to the family. In the second case papers were lost in an accident when a member of staff took them home when leaving work early due to severe weather.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 11 September 2013.
Details Staff are to be trained in how to follow the Council’s procedures for the storage and use of personal data by 30 November 2013. Training is also required before staff are granted access to the Council’s sytems and should be refreshed within two years. In addition to training new procedures covering such issues as the transporting of personal data outside of the office must be drafted by 30 November.

Links

View PDF of the Luton Borough Council Undertaking (Breach Watch Archive)
View PDF of the Luton Borough Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 11 December 2013 (published on 30 December).
View PDF of the Luton Borough Council Follow Up (Breach Watch Archive)
View PDF of the Luton Borough Council Undertaking Follow Up (Via ICO Website)

Cardiff City Council

Posted on by

Breach details

What Failure to meet the requirements of section 7 of the Act.
How much One complaint.
When 21 July 2011
Why The Council failed to respond to a subject access request within the 40 days prescribed period. The Commissioner found that there were systematic failures to meet section 7.

Regulatory action

Regulator Undertaking to comply with the sixth data protection principle
Action ICO
When 28th August 2013.
Details The Council shall immediately set up clearly defined and managed procedures for dealing with subject access requests and provide staff with the appropriate training. This should include measures for the storage of paper records to ensure that subject access requests are responded to promptly and appropriately.

Links

View PDF of the Cardiff City Council Undertaking (Breach Watch Archive)
View PDF of the Cardiff City Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 7 March 2014 (published on 14 March).
View PDF of the Cardiff City Council Undertaking Follow Up (Breach Watch Archive)
View PDF of the Cardiff City Council Undertaking Follow Up (Via ICO Website)

Aberdeen City Council

Posted on by

Breach details

What Four documents containing sensitive personal information were accidentally uploaded to the internet by a member of staff working from home. The data includes names and addresses, dates of birth, details of alleged criminal offences, and information about Social Care cases concerning children.
How much Four documents totalling 39 pages.
When 8 November 2011 to 18 February 2012.
Why A Council employee inadvertently downloaded four sensitive documents onto her PC when accessing them from home (either by email or by USB) between 8 November and 12 November 2011. These were then uploaded to a website by an auto-upload program pre-installed on the computer thereby making the data available to the public. The documents were discovered on 15th February 2012 and were removed (along with all cached versions) within four hours. However, on 18th February a national newspaper published a story on this incident although personal data was not included after a discussion with the Council.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000.
When 27 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council failed to introduce a secure home working policy or provide the training and equipment to make the home a secure place to work.
Known or should have known The Council was clearly aware that there were inherent risks with staff accessing sensitive personal data at home as it had an acceptable use policy. However, the Council did not supply the necessary equipment to make homes secure places to work from.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. The data is particularly sensitive as it identifies vulnerable individuals.There is also the risk that the information may have been further disseminated and misused.

Links

View PDF of the Aberdeen City Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Aberdeen City Council Monetary Penalty Notice (Via ICO Website)

Local Government Ombudsman (the LGO)

Posted on by

Breach details

What A bag containing an encrypted portable media device and hard copy papers relating to planning application complaints. This included sensitive personal information relating to one of the complainant’s physical or mental health.
How much 8 complaints.
When Unknown.
Why A bag containing sensitive personal information was stolen from one of Ombudsman’s investigators at a public house. There was a specific reason for the papers to be taken out of the office and a policy on security on information while in transport existed, but staff were unaware of the policies due to a lack of training.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 22 August 2013
Details The company shall provide mandatory annual training to all staff whose role includes the routine processing of personal information. The company shall also ensure that all staff are aware of its policies relating to personal information and are updated of any changes to these policies.

Links

View PDF of the Local Government Ombudsman (the LGO) Undertaking (Breach Watch Archive)
View PDF of the Local Government Ombudsman (the LGO) Undertaking (Via ICO Website)

Islington Borough Council

Posted on by

Breach details

What Spreadsheets containing sensitive personal data in a ‘hidden’ workbook were uploaded on three occasions to the WhatDoTheyKnow.com FOIA website in response to an FOIA request. The data included details on housing applicants’ sexuality, ethnicity, domestic violence and criminal offending.
How much 2,375 records.
When 26 June 2012
Why Spreadsheets prepared by one department providing a response to an FOIA request used pivot tables to provide the summary information requested, however the published spreadsheets also contained the raw source data in hidden worksheets within the same spreadsheet. The request originated via the WhatDoTheyKnow website which automatically publishes all FOIA responses to the web, making them publicly available .

Regulatory action

Regulator ICO
Action Monetary Penalty notice of £70,000
When 20 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council did not have processes in place to ensure that personal information was not published in response to an FOIA request and failed to provide adequate training for the staff dealing with FOIA responses (such as how to check for hidden data within Excel).
Known or should have known The Council should have known that in the absence of a robust checking policy, personal data may be exposed in response to an FOIA request.
Likely to cause damage or distress The disclosure of sensitive personal information of the data subjects would cause them substantial distress, particularly as it is known that the information had been downloaded by unknown third parties seven times. The Council is facing separate legal action from a number of the data subjects. The Commissioner also noted that there is a risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

If the ICO considered an MPN appropriate, then a penalty of £70,000 for the repeated release of 2,375 items of sensitive personal data to a public website seems good value for the Data Controller. However the basis for the ICO’s assertion that the Council ‘knew or should have known’ appears to be weak.

Links

View PDF of the Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Monetary Penalty Notice Via ICO Website)

Northern Health and Social Care Trust

Posted on by

Breach details

What Personal data including information on physical or mental health.
How much An unknown number of incidents including the faxing of confidential service user information to the wrong recipient and the inappropriate disclosure of personal data to professionals working with the Trust.
When An unknown period, dating to at least May 2011.
Why A number of security incidents led to the Commissioner’s investigation into the Trust. It was discovered that most of the staff involved in these incidents had not received the supposedly mandatory Information Governance training, and the Trust failed to monitor and enforce staff completion of training. This led to staff being unaware of Information Governance policies.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 13 August 2013.
Details From the date of this undertaking staff are to be made aware of policies regarding the storage and use of personal data and are given appropriate training in this and in dealing with security breaches. Measures should be put in place to ensure that staff attend all mandatory training. In addition, portable devices used to store personal data must be encrypted.

Links

View PDF of the Northern Health and Social Care Trust Undertaking (Breach Watch Archive)
View PDF of the Northern Health and Social Care Trust Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment in December 2013 (published on 10 January 2014).
View PDF of the Northern Health and Social Care Trust Follow Up (Breach Watch Archive)
View PDF of the Northern Health and Social Care Trust Undertaking Follow Up (Via ICO Website)

Derbyshire, Leicestershire and Nottinghamshire Police Forces

Posted on by

Breach details

What The theft of laptops containing sensitive personal data including prison records and offender details.
How much Approximately 4,500 records held on eight laptops.
When 14 August 2010.
Why These police forces were part of the East Midlands Collaboration Unit (EMCU), whose offices were burgled in August 2010. Eight laptops belonging to seconded offices were stolen; they had not been stored in available lockable containers and two were unencrypted. Derbyshire and Leicestershire Police had not undertaken their own risk assessments and relied on the security measures of Nottingham Police. However, this did not specify that laptops should be encrypted, made no provision for locking them in containers, and did not monitor the offices during this period.

Regulatory action

Regulator ICO
Action Enforcement Notice issued to limit the sharing of personal data.
When 18 June 2013
Details These police forces shall only share personal data as part of a collaborative project if a Senior Information Risk Owner has been appointed to oversee the work and risk assess the premises; laptop and other portable electronic security devices are encrypted; and all officers involved in the project are given appropriate training. These measures should been implemented within 35 days.

Links

View PDF of the Derbyshire Police Enforcement Notice (Breach Watch Archive)
View PDF of the Derbyshire Police Enforcement Notice (Via ICO Website)
View PDF of the Leicestershire Police Enforcement Notice (Breach Watch Archive)
View PDF of the Leicestershire Police Enforcement Notice (Via ICO Website)
View PDF of the Nottinghamshire Police Enforcement Notice (Breach Watch Archive)
View PDF of the Nottinghamshire Police Enforcement Notice (Via ICO Website)

Hertfordshire Constabulary

Posted on by

Breach details

What Breach of the First and Third Data Protection Principles and the European Convention on Human Rights.
Personal data in the form of vehicle numberplates.
How much An unknown number of records.
When Unknown.
Why Currently all vehicles entering and leaving Royston have their numberplates recorded by ANPR cameras. Although this data can only be accessed in limited circumstances the Commissioner is concerned it could be used for other purposes, and there is a risk of its unauthorised or unlawful access.

Regulatory action

Regulator ICO
Action Enforcement Notice Issued to Hertfordshire Constabulary.
When 15 July 2013.
Details Enforcement notice issued to ensure that within 90 days the personal data recorded by the ANPR cameras will no longer be processed without a Privacy Impact Assessment.

Links

View PDF of the Hertfordshire Constabulary Enforcement Notice (Breach Watch Archive)
View PDF of the Hertfordshire Constabulary Enforcement Notice (Via ICO Website)

Health & Care Professions Council

Posted on by

Breach details

What Documents containing personal data relating to a ‘fitness to practice’ hearing.
How much An unknown number of documents.
When 2011.
Why A suitcase containing documents relating to a ‘fitness to practice’ hearing was stolen from a train. The solicitors who had prepared these documents had not signed a contract to act only under instruction from the Data Controller, and had not been provided with specific guidance on the redaction of these documents for hearings.

BW Comments

It is strange the the ICO highlights the lack of an adequate contract between the Data Controller and their solicitor. Surely the normal contract of engagement between a client and solicitor would provide the necessary requirements of confidentiality and that the solicitor should only act on the client’s instructions?

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 09 July 2013.
Details The Data Controller is to immediately enter into a contract with its solicitors and issue instructions regarding the processing of personal data. In addition, agents and contractors given access to personal data are to be provided with specific guidance around data security; compliance with policies on data protection is to be regularly monitored; and security measures are to be implemented to protect personal data.

Links

View PDF of the Health & Care Professions Council Undertaking (Breach Watch Archive)
View PDF of the Health & Care Professions Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 22 October 2013.
View PDF of the Health and Care Professions Council Undertaking Follow Up (Breach Watch Archive)
View PDF of the Health and Care Professions Council Undertaking Follow Up (Via ICO Website)