NHS Surrey

Breach details

What Loss of personal data and sensitive personal data.
How much Approximately 1,570 hard drives. An unspecified number of records.
When 08 March 2010 – 02 July 2012
Why Between 08 March 2010 and 28 May 2012 hard drives containing sensitive personal data were collected for destruction and disposal by a company claiming to specialise in IT disposal. On 29 May 2012 it was found that PCs containing these hard drives were being sold by a third party company via an online auction site. So far ten of the supposedly destroyed hard drives have been reclaimed. The data controller has been unable to trace the destinations of the remaining PCs.

BW Comments

Disposal of drives is a recurring topic for information security professionals and the Commissioner. As it is easy to select a company with independent certification it really is unbelievable that organisations continue to contract with random companies that claim to offer destruction services. This MPN should also act as a reminder that a ‘certificate of destruction’ is just a piece of paper – there’s no substitute for watching your old hard drives being put through an industrial shredder.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 18 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: NHS Surrey failed to ensure the physical destruction of personal data stored on its hard drives. No proper risk assessment of the data processor was taken; there was no written contract with the data processor requiring the company to comply with regulations; and NHS Surrey did not take appropriate steps to ensure complaince with the regulations.
Known or should have known NHS Surrey was used to dealing with confidential and personal data on a daily basis and should have known that there was a risk that contravention could occur unless reasonable steps were taken, particularly as some of the ‘Data Devices Destroyed’ certificates issued before January 2011 stated that the hard drives had been ‘wiped/destroyed/recycled’. This project should have been afforded the highest level of security.
Likely to cause damage or distress Data subjects are likely to have suffered substantial distress knowing that their personal data has been retrieved by a member of the public and might have been offered for sale to unauthorised third parties. They could also be concerned that their data might be further disseminated.

BW Observations

This case is very similar to the Brighton and Sussex University Hospitals NHS Trust case, although here NHS Surrey moved quickly to rectify the problem and didn’t compound the problem by its own actions. In the MPN the ICO made an indirect reference to the Brighton and Sussex case but levied only 60% of the penalty (£200K vs £325K) on NHS Surrey for losing a around 60% more disks (1,570 vs 1,000).

Bedford Borough Council

Breach details

What Sensitive personal data including the mental and physical health of the data subjects held in a social care database.
How much One record.
When Unknown.
Why A record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

BW Comments

This is closely linked to the undertaking signed by Central Bedfordshire Council.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 10 September 2012
Details The social care database was to be completely cleansed of unnecessary data from the previous local authority by 31 March 2013, and security measures were to be implemented to protect personal data.

BW Observations

As with the Central Bedfordshire Council undertaking there is no explanation provided by the Commissioner about the delay in publishing this undertaking although this is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

Central Bedfordshire Council

Breach details

What Sensitive personal data incorrectly made available on a planning portal
How much Two records. This included birth details, private telephone numbers and personal medical information in one case, and physical and mental health details in the other.
When Unknown.
Why An individual’s personal information was made publicly available via a planning portal on the Council’s website. This occurred after documents were given the wrong planning reference number and then placed in an open access, rather than secure, folder. As a result personal information was not deleted from the documents prior to them being posted. In addition to this incident, a record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 18 September 2012.
Details The Council were to ensure that staff were aware of the correct procedures for preparing planning application documentation, to be given appropriate training, and that the procedures were followed. The social care database was also to contain a completely cleansed dataset by 31 March 2013. Finally, appropriate security measures were to be implemented to protect personal data.

BW Observations

Although the undertaking was ‘signed’ on 18 September 2012, it was only published by the ICO on 12 June 2013. This is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

North Staffordshire Combined Healthcare NHS Trust

Breach details

What Sensitive personal data (medical) faxed to an incorrect recipient.
How much 3 records.
When August and September 2011
Why Three faxes containing just about every category of sensitive personal data were sent to the wrong recipient. This breach of confidentiality occurred despite the trust having both a secure fax environment and appropriate procedures in place which included call-ahead and a requirement to use pre-programmed destinations. The breach occurred because members of staff were unfamiliar with the policy, so didn’t call ahead and manually dialled the (wrong) recipient’s number.

Regulatory action

Regulator ICO
Action Monetary penalty of £55,000
When 11 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the trust had insufficient management controls and did not provide the appropriate training for the staff.
Known or should have known The trust was aware that there was risks sending information by fax because it had introduced the safe haven and best practice. It should have known that the best practice guidelines needed to be backed up by training and management controls.
Likely to cause damage or distress The Commissioner’s usual argument that the data subjects, some of who were vulnerable adults, may have suffered distress knowing that their medical data had been read by an unauthorised third party.

Glasgow City Council

Breach details

What Personal data, including some bank account details, on two stolen unencrypted laptops.
How much At least 20,143 records.
When 28 May 2012
Why Two unencrypted laptops were stolen from an office in the process of being refurbished. Employee 1 had locked up her laptop and left the key in Employee 2’s drawer. Employee 2 put his laptop in his storage drawer but failed to lock it. Both laptops were stolen. Employee 2’s laptop contained the council’s creditor payment history file, including 20,143 personal names ad addresses and 6,069 bank account details.
About 74 other unencrypted laptops are unaccounted for, of which six are known to have been stolen.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 04 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate technical measures to prevent the loss of personal data from laptops, such as implementing port control and encrypting laptops.
Known or should have known In spite of enforcement action taken against the Council in 2010 concerning failings related to unencrypted laptops, unencrypted laptops were still in use in 2012, in breach of the Council’s own policy. It should have been obvious the risks were increased by the physical insecurity of the offices undergoing refurbishment. The Commissioner also highlighted his own well-known guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress As usual, the Commissioner’s argument is that data subjects are likely to have suffered from substantial distress knowing that their personal data may be disclosed to third parties who have no right to see that information. Additionally if the data is disclosed to ‘untrustworthy third parties’ there is the potential that the data subjects may be exposed to identity theft.

Glasgow City Council

Breach details

What Two unencrypted laptops containing substantial amounts of personal data were stolen from offices undergoing refurbishment.
How much An unknown number of records.
When Unknown
Why An earlier enforcement notice was issued in 2010. Since then, previous thefts had occurred from the Council’s offices and physical security had not been improved. In addition, unencrypted laptops were still being issued and over 70 unencrypted laptops were unaccounted for.

BW Comments

A Monetary Penalty Notice was issued to Glasgow in respect of this breach but the quality of IT asset management at the Council was obviously so poor that the ICO felt it needed to issue an enforcement notice as well.

Regulatory action

Regulator ICO
Action Enforcement Notice
When 04 June 2013
Details Enforcement Notice issued to ensure that asset management is improved. A full audit of existing IT assets relating to personal information must be undertaken by 30 June 2013, along with asset management training for managers and reissuing information security guidelines to staff. A new asset register must be completed by 31 July 2013 and updated on a yearly basis.

BW Observations

Interestingly the enforcement notice didn’t re-enforce the 2010 instruction to encrypt laptops.

Halton Borough Council

Breach details

What Details of adoptive parents accidentally disclosed to birth parents.
How much 1 record.
When 25 May 2012
Why An employee mistakenly included the address of a child’s adoptive parents in a ‘letterbox’ letter to the birth mother. The birth mother passed the address on to her own parents, who wrote to the adoptive parents seeking contact with the child. The grandparents then made an application to the Court for direct contact with their grandchild, which was refused following two hearings, and the grandparents had to undertake only to use the Council’s ‘letterbox’ procedure for contact.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures to prevent accidental disclosure, such as implementing a peer-checking process and a clear checklist of requirements.
Known or should have known Because of the very nature of the ‘letterbox’ process which was designed to protect the identities of adoptive and birth parents, the council should have known that this type of issue was a risk, and that a breach of confidentiality would cause ‘substantial distress’. The council should therefore have taken steps to prevent the problem arising.
Likely to cause damage or distress This contravention was of a kind likely to cause substantial distress and on this occasion resulted in what a court deemed to be ‘inappropriate contact’.

–>

Stockport Primary Care Trust

Breach details

What Patient identifiable data was left in a decommissioned building.
How much About 1000 records, including 200 containing highly sensitive personal data.
When 2010-2011
Why Boxes of paper records were left in a decommissioned building, in full view of prospective purchasers of the building. The eventual purchaser opened the boxes and discovered the information, some relating to people known by the purchaser.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against the accidental loss of 1,000 documents, some of them containing sensitive personal data.
Known or should have known The NHS trust was used to handling sensitive personal data and would have known such information was stored on the site but did not take ‘reasonable steps’ to safeguard the data such has having a decommissioning policy.
Likely to cause damage or distress There was the potential for substantial distress as data subjects would know that their sensitive personal data had been accessed by an unauthorised party and that the data might be further disseminated. This was exacerbated as some data subjects were known to the data controller.

East Riding of Yorkshire Council

Breach details

What Sensitive personal data was inappropriately disclosed.
How much One record and one verbal remark.
When April/May 2012
Why Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 4 April 2013
Details Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary.

Nursing and Midwifery Council

Breach details

What Loss of sensitive personal data (medical and details relating to legal proceedings).
How much Unspecified but small number of records including two vulnerable children’s details. Details and allegations against a medical practitioner.
When 07 October 2011
Why In an echo of the infamous HMRC breach of 2007, three DVDs containing unencrypted data relating to a ‘fitness to practice hearing’ went missing somewhere between the Nursing and Midwifery Council’s offices and the hotel where the hearing was due to take place. Although the package was sent by courier, the data on the DVDs was unencrypted.

BW Comments

Two of the fundamental lesons that every Data Controller should have learned from the HMRC breach were:

  1. Always use couriers when sending personal data on physical media.
  2. Always encrypt data on physical media such as CDs or DVDs.

Although the Nursing and Midwifery Council use a courier, the sensitive personal data was not encrypted. As soon as anything went wrong, enforcement action was bound to follow.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 12 February 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against unauthorised processing of personal data, such as encrypting the data on the DVDs.
Known or should have known The Council was used to dealing with sensitive data and was aware of the potential damage release of the data would cause. The Commissioner also highlighted his own guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress The DVDs contained the medical information of third parties, including two vulnerable children. The Commissioner repeated his usual argument that data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may be further disseminated and possibly misused.

BW Observations

Receiving the report of DVDs that appeared to go missing between a sender and recipient will have caused a stressful outbreak of déjà vu in Wilmslow. Although the data lost related to very few individuals, the sensitivity of the data had a bearing on the amount of the penalty. Organisations should be under no illusions that sending any unencrypted personal data on physical media will attract a monetary penalty.