Category Archives: Local Government

Glasgow City Council

Posted on by

Breach details

What Two unencrypted laptops containing substantial amounts of personal data were stolen from offices undergoing refurbishment.
How much An unknown number of records.
When Unknown
Why An earlier enforcement notice was issued in 2010. Since then, previous thefts had occurred from the Council’s offices and physical security had not been improved. In addition, unencrypted laptops were still being issued and over 70 unencrypted laptops were unaccounted for.

BW Comments

A Monetary Penalty Notice was issued to Glasgow in respect of this breach but the quality of IT asset management at the Council was obviously so poor that the ICO felt it needed to issue an enforcement notice as well.

Regulatory action

Regulator ICO
Action Enforcement Notice
When 04 June 2013
Details Enforcement Notice issued to ensure that asset management is improved. A full audit of existing IT assets relating to personal information must be undertaken by 30 June 2013, along with asset management training for managers and reissuing information security guidelines to staff. A new asset register must be completed by 31 July 2013 and updated on a yearly basis.

BW Observations

Interestingly the enforcement notice didn’t re-enforce the 2010 instruction to encrypt laptops.

Links

View PDF of the Glasgow City Council Enforcement Notice (Breach Watch Archive)
View PDF of the Glasgow City Council Enforcement Notice (Via ICO Website)

Halton Borough Council

Posted on by

Breach details

What Details of adoptive parents accidentally disclosed to birth parents.
How much 1 record.
When 25 May 2012
Why An employee mistakenly included the address of a child’s adoptive parents in a ‘letterbox’ letter to the birth mother. The birth mother passed the address on to her own parents, who wrote to the adoptive parents seeking contact with the child. The grandparents then made an application to the Court for direct contact with their grandchild, which was refused following two hearings, and the grandparents had to undertake only to use the Council’s ‘letterbox’ procedure for contact.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures to prevent accidental disclosure, such as implementing a peer-checking process and a clear checklist of requirements.
Known or should have known Because of the very nature of the ‘letterbox’ process which was designed to protect the identities of adoptive and birth parents, the council should have known that this type of issue was a risk, and that a breach of confidentiality would cause ‘substantial distress’. The council should therefore have taken steps to prevent the problem arising.
Likely to cause damage or distress This contravention was of a kind likely to cause substantial distress and on this occasion resulted in what a court deemed to be ‘inappropriate contact’.

Links

View PDF of the Halton Borough Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Halton Borough Council Monetary Penalty Notice (Via ICO Website)

–>

East Riding of Yorkshire Council

Posted on by

Breach details

What Sensitive personal data was inappropriately disclosed.
How much One record and one verbal remark.
When April/May 2012
Why Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 4 April 2013
Details Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary.

Links

View PDF of the East Riding of Yorkshire Council Undertaking (Breach Watch Archive)
View PDF of the East Riding of Yorkshire Council Undertaking (Via ICO Website)

Leeds City Council

Posted on by

Breach details

What Personal and sensitive (health) personal data.
How much An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details.
When Not specified.
Why During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem.

BW Comments

If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 30 November 2012
Details The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data.

BW Observations

It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty.

Links

View PDF of the Leeds City Council Undertaking (Breach Watch Archive)
View PDF of the Leeds City Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 20 May 2013
View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive)
View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website)

Mansfield District Council

Posted on by

Breach details

What Personal data of housing benefit claimants was disclosed to the wrong housing association.
How much An undisclosed number of records.
When August 2009 to November 2012
Why Correspondence containing personal data was sent in error by the council’s Revenues and Benefits service to a Mansfield housing association over an extended period.

BW Comments

What is interesting about this breach is that it was reported to the ICO by the housing authority that received the data in error, and not Mansfield Council. I suspect that the housing association will first have contacted the Council and after that had no effect on the incorrectly addressed correspondence (the breach continued for three years), alerted the Commissioner. The Council’s real failing was to not fix the problem when told about it.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 25 January 2013
Details Employees and any other staff with access to personal data must be made aware of, and trained in, the policy for storage and use of personal data. Training must be provided to contractors as well as staff, and records of training to be maintained.

BW Observations

The breach was almost certainly due to administrative human error; however our view is that the enforcement action was taken as a result of the council not fixing the problem when it was initially alerted. The core problem was that the council didn’t have a sufficiently robust plan to identify and rectify a data breach when it was first reported. The undertaking should have also included a requirement for the Council to develop and test a breach response plan, which identified data breaches and ensured they were rectified.

Links

View PDF of the Mansfield District Council Undertaking (Breach Watch Archive)
View PDF of the Mansfield District Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 03 May 2013 (published by ICO on 01 November 2013).
View PDF of the Mansfield District Council Undertaking Follow Up (Breach Watch Archive)
View PDF of the Mansfield District Council Undertaking Follow Up (Via ICO Website)

Isle of Anglesey County Council

Posted on by

Breach details

What Loss of personal data and in one case loss of sensitive personal data.
How much Unknown
When Several incidents in early 2012
Why Documents containing personal data were inappropriately disclosed or disposed of, or put at risk of unauthorised access. The council had an out of date data protection policy, and provided insufficient data protection training.

BW Comments

The undertaking is very vague, and doesn’t provide specific details of what happened to cause the data losses, or why.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 20 December 2012
Details The data conroller is to ensure that all policies and procedures are up to date and in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

BW Observations

It is almost as if the council, as part of its self-reporting, suggested the necessary remedial action.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)
View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)

Leeds City Council

Posted on by

Breach details

What Loss of sensitive personal data (child protection).
How much Personal data relating to 4 data subjects.
When 28 July 2011
Why A support assistant, following council policy and re-using an old envelope for internal mail, failed to cross out the original address and later mistakenly put the envelope in the external post tray. As a result, the document was received by an unauthorised individual.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 95,000
When 16 November 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, for example using different styles of envelope for internal and external mail, having a peer checking process and providing appropriate training.
Known or should have known The ICO was satisfied that the Council should have known that that there was a risk that the contravention would occur and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress The contravention was likely to cause substantial distress to at least one of the data subjects, a vulnerable young person, due to the nature of the data involved.

Links

View PDF of the Leeds City Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Leeds City Council Monetary Penalty Notice (Via ICO Website)

Devon County Council

Posted on by

Breach details

What Loss of sensitive personal data
How much Personal data relating to approximately 22 data subjects.
When 12 May 2011
Why A social worker prepared an adoption panel report using another family’s report as template. The service users forgot to take the report with them after a meeting and requested it be posted. The report used as a template was posted by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 10 December 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, such as having a peer checking process for envelopes containing confidential and sensitive personal data and providing appropriate staff training.
Known or should have known Staff working in the People Services department were used to dealing with such cases and the data controller would have been aware of the confidential and sensitive nature of the personal data they were dealing with on a daily basis.
Likely to cause damage or distress The data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may have been further disseminated and possibly misused, even if those concerns do not actually materialise. Many of the affected individuals were considered to be vulnerable.

Links

View PDF of the Devon County Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Devon County Council Monetary Penalty Notice (Via ICO Website)

London Borough of Lewisham

Posted on by

Breach details

What Loss of sensitive personal data (child protection).
How much Personal data relating to an undisclosed number of data subjects.
When 16 March 2012
Why Case papers relating to a child protection matter were taken out of the office in a plastic bag and were mistakenly left on a train.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 12 December 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council had failed to take appropriate measures against the accidental loss of personal data such as having robust policies/ guidelines in place; training for staff who need to take paper files containing sensitive personal data out of the office; providing security locks for bags and using encrypted USBs.
Known or should have known The council recognised that social workers had a business need to take paper files containing confidential and sensitive personal data out of the office and should have put reasonable measures in place to prevent data loss.
Likely to cause damage or distress The data loss would potentially cause substantial distress to individuals including vulnerable children who may know or suspect that their confidential and highly sensitive personal data has been disclosed; and the contravention could have prejudiced the court hearing of the child protection case.

Links

View PDF of the London Borough of Lewisham Monetary Penalty Notice (Breach Watch Archive)
View PDF of the London Borough of Lewisham Monetary Penalty Notice (Via ICO Website)

Plymouth City Council

Posted on by

Breach details

What Loss of sensitive personal data (child protection).
How much 2 records.
When 23 November 2011
Why As a result of a printing problem, two seperate reports were taken from a printer by a social worker, treated as single document and passed to a service user.

BW Comments

A control that required a user to enter a code to collect their printout would have stopped this problem happening. Given the sensitive nature of the information printed in a social work environment it is not unreasonable – given the widespread availability and relative low cost of this type of system – to now expect this. Other organisations that frequently print such sensitive information should conduct a risk assessment and look at implementing a manual control (such as peer-review of documents) until an upgrade to their printer software can be deployed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 19 November 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to provide a more secure way of providing access to printout, given the sensitive nature of the information provided.
Known or should have known The ICO’s view was that the Council should have known that any disclosure of such sensitive information would have the potential to be extremely damaging and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress The information concerned child protection and could have have resulted in “physical harm or blackmail”.

BW Observations

It could be argued that the ICO’s argument for the ‘known or should have known’ test has the benefit of hindsight, however the breach occurred because there were no controls in place and not because a in-place control failed.

Links

View PDF of the Plymouth City Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Plymouth City Council Monetary Penalty Notice (Via ICO Website)