Royal Borough of Windsor & Maidenhead

Breach details

What Personal data disclosed on the council’s intranet in error.
How much 257 records.
When January 2013.
Why A spreadsheet containing details of individuals who had not signed a new employment contract was wrongly appended to a review document for general access on the intranet, rather than being added separately as a restricted item. The ICO investigation revealed that data protection and information security training for those with access to personal data had not been mandatory and that the policies on handling personal data were incomplete.

Regulatory action

ActionUndertaking to comply with the seventh data protection principle.

Regulator ICO
When 26 November 2013.
Details The Council will review and revise its data protection policies and ensure existing staff have appropriate training by 31 December 2013. All new staff whose roles involve access to personal data will receive training as soon as they begin their employment at the Council. Compliance with these policies and the training will be regularly monitored and enforced.

North East Lincolnshire Council

Breach details

What Loss of an unencrypted USB stick containing personal and sensitive data relating to children with special educational needs including names, DOB and reports on mental and physical disabilities.
How much 286 records.
When 01 July 2011.
Why A special educational needs teacher working for the Special Educational Needs Support Service forgot to remove an unencrypted USB stick containing reports on 286 children from a laptop in the Council’s offices on leaving the office at the end of the day on 01 July. When the teacher tried to retrieve the USB stick they discovered it was gone and it has not been recovered to date. The USB stick had been issued in 2005 in order for the teacher to access neccessary data on their visits to schools and community locations that they performed during the majority of their time. An information security policy which had been in draft since 2009 was introduced in March 2011, four months prior to the incident, and specified that removable media such as USB sticks “must be encrypted”. However, unencrypted USB devices were not recalled until immediately after the incident and staff could only encrypt their devices through volunteer initiatives such as a ‘removable media pilot’ and an ‘encryption on request’ service. The member of staff in question had confirmed that they read and understood the new policy in June and had possibly received Data Protection Act e-learning training, but the training was non mandatory and cannot be confirmed.

Regulatory action

Regulator ICO
Action Monetary penalty of £80,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: appropriate measures were not taken to prevent the loss of personal data. In particular there was a lack of training on the importance of using encrypted devices, no technical controls restricting downloads, and no effective policies and controls in place.
Known or should have known Staff were used to dealing with sensitive personal information on a daily basis and had routinely stored this data on unencrypted USB sticks since at least 2005. The risks of using unencrypted USB sticks was identified in 2009 but not forbidden until 2011, and even then the Council continued to allow staff to use unencrypted devices in breach of its own policy. Although there was an encryption service available from this point it was voluntary and efforts to raise awareness were inadequate.
Likely to cause damage or distress The children and families concerned would suffer substantial distress knowing that their sensitive data may have been disclosed to third parties or could be in future, even though it appears that the data has not been disclosed thus far. If the data is accessed by untrustworthy third parties it could expose the children to damage to their health, education and personal relationships.

Luton Borough Council

Breach details

What Personal data including information on the health and ethnicity of the data subjects.
How much Two cases.
When December 2012 and January 2013.
Why Two separate incidents involved incorrect handling of personal data by social work staff. In the first case an email containing personal information about a family was sent across an unsecured internet connection and also sent to an agency unconnected to the family. In the second case papers were lost in an accident when a member of staff took them home when leaving work early due to severe weather.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 11 September 2013.
Details Staff are to be trained in how to follow the Council’s procedures for the storage and use of personal data by 30 November 2013. Training is also required before staff are granted access to the Council’s sytems and should be refreshed within two years. In addition to training new procedures covering such issues as the transporting of personal data outside of the office must be drafted by 30 November.

Cardiff City Council

Breach details

What Failure to meet the requirements of section 7 of the Act.
How much One complaint.
When 21 July 2011
Why The Council failed to respond to a subject access request within the 40 days prescribed period. The Commissioner found that there were systematic failures to meet section 7.

Regulatory action

Regulator Undertaking to comply with the sixth data protection principle
Action ICO
When 28th August 2013.
Details The Council shall immediately set up clearly defined and managed procedures for dealing with subject access requests and provide staff with the appropriate training. This should include measures for the storage of paper records to ensure that subject access requests are responded to promptly and appropriately.

Aberdeen City Council

Breach details

What Four documents containing sensitive personal information were accidentally uploaded to the internet by a member of staff working from home. The data includes names and addresses, dates of birth, details of alleged criminal offences, and information about Social Care cases concerning children.
How much Four documents totalling 39 pages.
When 8 November 2011 to 18 February 2012.
Why A Council employee inadvertently downloaded four sensitive documents onto her PC when accessing them from home (either by email or by USB) between 8 November and 12 November 2011. These were then uploaded to a website by an auto-upload program pre-installed on the computer thereby making the data available to the public. The documents were discovered on 15th February 2012 and were removed (along with all cached versions) within four hours. However, on 18th February a national newspaper published a story on this incident although personal data was not included after a discussion with the Council.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000.
When 27 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council failed to introduce a secure home working policy or provide the training and equipment to make the home a secure place to work.
Known or should have known The Council was clearly aware that there were inherent risks with staff accessing sensitive personal data at home as it had an acceptable use policy. However, the Council did not supply the necessary equipment to make homes secure places to work from.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. The data is particularly sensitive as it identifies vulnerable individuals.There is also the risk that the information may have been further disseminated and misused.

Local Government Ombudsman (the LGO)

Breach details

What A bag containing an encrypted portable media device and hard copy papers relating to planning application complaints. This included sensitive personal information relating to one of the complainant’s physical or mental health.
How much 8 complaints.
When Unknown.
Why A bag containing sensitive personal information was stolen from one of Ombudsman’s investigators at a public house. There was a specific reason for the papers to be taken out of the office and a policy on security on information while in transport existed, but staff were unaware of the policies due to a lack of training.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 22 August 2013
Details The company shall provide mandatory annual training to all staff whose role includes the routine processing of personal information. The company shall also ensure that all staff are aware of its policies relating to personal information and are updated of any changes to these policies.

Islington Borough Council

Breach details

What Spreadsheets containing sensitive personal data in a ‘hidden’ workbook were uploaded on three occasions to the WhatDoTheyKnow.com FOIA website in response to an FOIA request. The data included details on housing applicants’ sexuality, ethnicity, domestic violence and criminal offending.
How much 2,375 records.
When 26 June 2012
Why Spreadsheets prepared by one department providing a response to an FOIA request used pivot tables to provide the summary information requested, however the published spreadsheets also contained the raw source data in hidden worksheets within the same spreadsheet. The request originated via the WhatDoTheyKnow website which automatically publishes all FOIA responses to the web, making them publicly available .

Regulatory action

Regulator ICO
Action Monetary Penalty notice of £70,000
When 20 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council did not have processes in place to ensure that personal information was not published in response to an FOIA request and failed to provide adequate training for the staff dealing with FOIA responses (such as how to check for hidden data within Excel).
Known or should have known The Council should have known that in the absence of a robust checking policy, personal data may be exposed in response to an FOIA request.
Likely to cause damage or distress The disclosure of sensitive personal information of the data subjects would cause them substantial distress, particularly as it is known that the information had been downloaded by unknown third parties seven times. The Council is facing separate legal action from a number of the data subjects. The Commissioner also noted that there is a risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

If the ICO considered an MPN appropriate, then a penalty of £70,000 for the repeated release of 2,375 items of sensitive personal data to a public website seems good value for the Data Controller. However the basis for the ICO’s assertion that the Council ‘knew or should have known’ appears to be weak.

Bedford Borough Council

Breach details

What Sensitive personal data including the mental and physical health of the data subjects held in a social care database.
How much One record.
When Unknown.
Why A record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

BW Comments

This is closely linked to the undertaking signed by Central Bedfordshire Council.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 10 September 2012
Details The social care database was to be completely cleansed of unnecessary data from the previous local authority by 31 March 2013, and security measures were to be implemented to protect personal data.

BW Observations

As with the Central Bedfordshire Council undertaking there is no explanation provided by the Commissioner about the delay in publishing this undertaking although this is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

Central Bedfordshire Council

Breach details

What Sensitive personal data incorrectly made available on a planning portal
How much Two records. This included birth details, private telephone numbers and personal medical information in one case, and physical and mental health details in the other.
When Unknown.
Why An individual’s personal information was made publicly available via a planning portal on the Council’s website. This occurred after documents were given the wrong planning reference number and then placed in an open access, rather than secure, folder. As a result personal information was not deleted from the documents prior to them being posted. In addition to this incident, a record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 18 September 2012.
Details The Council were to ensure that staff were aware of the correct procedures for preparing planning application documentation, to be given appropriate training, and that the procedures were followed. The social care database was also to contain a completely cleansed dataset by 31 March 2013. Finally, appropriate security measures were to be implemented to protect personal data.

BW Observations

Although the undertaking was ‘signed’ on 18 September 2012, it was only published by the ICO on 12 June 2013. This is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

Glasgow City Council

Breach details

What Personal data, including some bank account details, on two stolen unencrypted laptops.
How much At least 20,143 records.
When 28 May 2012
Why Two unencrypted laptops were stolen from an office in the process of being refurbished. Employee 1 had locked up her laptop and left the key in Employee 2’s drawer. Employee 2 put his laptop in his storage drawer but failed to lock it. Both laptops were stolen. Employee 2’s laptop contained the council’s creditor payment history file, including 20,143 personal names ad addresses and 6,069 bank account details.
About 74 other unencrypted laptops are unaccounted for, of which six are known to have been stolen.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 04 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate technical measures to prevent the loss of personal data from laptops, such as implementing port control and encrypting laptops.
Known or should have known In spite of enforcement action taken against the Council in 2010 concerning failings related to unencrypted laptops, unencrypted laptops were still in use in 2012, in breach of the Council’s own policy. It should have been obvious the risks were increased by the physical insecurity of the offices undergoing refurbishment. The Commissioner also highlighted his own well-known guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress As usual, the Commissioner’s argument is that data subjects are likely to have suffered from substantial distress knowing that their personal data may be disclosed to third parties who have no right to see that information. Additionally if the data is disclosed to ‘untrustworthy third parties’ there is the potential that the data subjects may be exposed to identity theft.