Category Archives: Public sector

Brent Teaching Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
70 records.

Why
Two unencrypted laptops containing sensitive personal data relating to 389 patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data. All such mobile devices must be encrypted, Staff must be adequately trained on the data controller’s information security policies.

Reason for action
The laptops were unencrypted and although the office was locked they were left out on a desk with no further physical security measures taken, contrary to the Trust’s own security policy.

When
19 January 2009

Links
View PDF of the Brent Teaching Primary Care Trust Undertaking (Breach Watch Archive)

Abertawe Bro Morgannwg University NHS Trust

Posted on by

What
Loss of personal data.

How much
5,000 records.

Why
An unencrypted laptop containing sensitive personal data relating to approximately 5,000 patients was stolen from an unlocked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the portable and mobile devices are encrypted to a suitable standard.

Reason for action
The Laptop was unencrypted and the office was not locked as it usually would have been.

When
14 January 2009

Links
View PDF of the Abertawe Bro Morgannwg University NHS Trust Undertaking (Breach Watch Archive)

Tees, Esk and Wear Valleys NHS Foundation Trust

Posted on by

What
Loss of personal data.

How much
Unknown.

Why
An unencrypted data stick holding personal data and sensitive personal data relating to health patients and trust staff was found by a member of the public and handed in to the press.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that only data sticks with suitable encryption are used by Trust staff and that an adequate encryption policy and procedures are put in place. All staff must be given appropriate data protection training.

Reason for action
The lost data stick was unencrypted and there was no encryption policy in place.

When
2 January 2009

Links
View PDF of the Tees, Esk and Wear Valleys NHS Foundation Trust Undertaking (Breach Watch Archive)

Hampshire Partnership NHS Trust

Posted on by

What
Loss of personal data.

How much
1,161 records.

Why
1,161 Trust payslips containing employee personal data were lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the transporting of all personal data should be risk assessed, and where appropriate, tracked. A review of all internal post procedures should be conducted for security purposes. All staff must receive adequate data protection training.

Reason for action
It could not be explained where or how the payslips had gone missing.

When
19 December 2008

Links
View PDF of the Hampshire Partnership NHS Trust Undertaking (Breach Watch Archive)

Southampton City Primary Care Trust

Posted on by

What
Loss of personal data.

How much
168 records.

Why
168 Trust payslips containing employee personal data were lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the transporting of all personal data should be risk assessed, and where appropriate, tracked. A review of all internal post procedures should be conducted for security purposes. All staff must receive adequate data protection training.

Reason for action
It could not be explained where or how the payslips had gone missing.

When
13 January 2008

Links
View PDF of the Southampton City Primary Care Trust Undertaking (Breach Watch Archive)

The Department of Health

Posted on by

What
Inappropriate processing of personal data

How much
Unknown.

Why
The personal details of junior doctors held on the Medical Training Application Service (MTAS) website was readily accessible to any person accessing the website.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that sensitive personal data held on the website must be encrypted. Instructions and advice as to the use of passwords and PIN numbers be given to the data controller to those entitled to access the site. Staff will be given appropriate training and regular penetration and vulnerability testing of developing applications and systems to minimise unauthorised access.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
4 December 2007

Links
View PDF of the Department of Health Undertaking (Breach Watch Archive)

The Foreign and Commonwealth Office

Posted on by

What
Loss of personal data

How much
Unknown.

Why
The ICO was informed by Ukvisas that there had been a breach of security in the VFS online visa application facility. The security breach resulted in the personal data of persons applying for visas to enter being viewable by others.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the VFS on-line application websites will not be re-opened and will be replaced by visa4UK. A strategic review of data processing will be undertaken by UKvisas in order to strengthen Data Protection Act risk management processes and a detailed audit carried out of the data processor’s data security procedures. The website will be regularly monitored and adequate and relevant data protection will be given to all UKvisas staff on an ongoing basis.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
19 October 2007

Links
View PDF of the Foreign and Commonwealth Office Undertaking (Breach Watch Archive)

The Northern Ireland Office

Posted on by

What
Inappropriate processing of personal data

How much
Unknown.

Why
The data controller failed to respond to a subject access request made by the data subject relating to the processing of personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all subject access requests received by the data controller are dealt with in compliance with the provisions contained within Section 7 of the Data Protection Act. Adequate and relevant training is provided to all employees who are engaged in the process of dealing with subject access requests.

Reason for action
The ICO had received a complaint about the data controller’s failure to respond to a subject access request.

When
9 July 2007

Links
View PDF of the Northern Ireland Office Undertaking (Breach Watch Archive)

Post Office Limited

Posted on by

What
Loss of personal data

How much
250 records.

Why
Items of personal information were recovered from refuse bins used by the London Road Southampton, Rymans franchise branch of the data controller. The information consisted of 65 Firm E111 applications forms, 158 receipts, 12 travel insurance forms, eight daily passport schedules and a money transfer showing the name of seven customers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that data protection procedures are reviewed and updated where necessary to ensure that the correct procedures are in place for the handling and disposal of personal data. Staff must be sufficiently trained in these procedures.

Reason for action
The data controller had established procedures as evidenced by a declaration form (Form P13), but the breach nevertheless occurred and the ICO received complaints from members of the public.

When
26 February 2007

Links

View PDF of the Post Office Limited Undertaking (Breach Watch Archive)