Loss of sensitive personal data.
One record.
Faxes were incorrectly sent to the wrong recipient over a period of at least a year.
ICO
Undertaking issued to ensure that records are transmitted to GPs in a more secure manner and a ring ahead procedure is implemented.
The Fax was intended for the patient’s GP, but the wrong Fax number was recorded.
01 July 2011.
Loss of personal data.
21 records
A teacher’s bag was stolen containing an unencrypted memory stick and paperwork.
ICO
Undertaking issued to ensure that portable data devices are encrypted and that staff only take data off site when absolutely necessary.
The memory stick, containing personal data, was unencrypted.
14 June 2011.
View PDF of the Surbiton Children’s Central Nursery Undertaking (Via ICO Website)
View PDF of the Surbiton Children’s Central Nursery Undertaking (Breach Watch Archive)
| What | Loss of sensitive personal information on three occasions. |
| How much | 241 records. |
| When | May – June 2010 |
| Why | Records were accidently sent out in an email copied to a global distribution list, minutes of a confidential strategy discussion erroneously emailed to a newsletter distribution group. Additional records were erroneously emailed to an incorrect internal email group. |
| Regulator | ICO | Action | Monetary penalty of £ 120,000 |
| When | 9 June 2011 |
| Breach of act | Emails were unencrypted and sent to the wrong recipients. Inappropriate organisational and technical measures. |
| Known or should have known | The risk of incorrect drop down boxes being selected were “self evident”. |
| Likely to cause damage or distress | Records related to special needs. |
| View PDF of the Surrey Council Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the Surrey Council Monetary Penalty Notice (Via ICO Website) |
Loss of sensitive personal data.
Six records.
ICO
Undertaking issued to ensure that adequate security measures and implemented for hard copy documentation and that such documents contain the minimum amount of personal data necessary.
The home support worker’s bag was not locked and further investigation revealed that staff were given insufficient guidance about how to use and transport such documentation.
08 June 2011.
View PDF of the North Lanarkshire Council Undertaking (Via ICO Website)
View PDF of the North Lanarkshire Council Undertaking (Breach Watch Archive)
Loss of sensitive personal data.
One record.
ICO
Undertaking issued to ensure that procedures are implemented to record quality control checks prior to the distribution of documents.
The incident revealed a lack of sufficient checks and controls in areas of the data controller’s operations dealing with significant amounts of personal data.
13 May 2011.
View PDF of the Somerset County Council Undertaking (Via ICO Website)
View PDF of the Somerset County Council Undertaking (Breach Watch Archive)
Loss on sensitive personal information on three occasions.
Three records
Faxes containing personal information were erroneously sent to the wrong number.
ICO
Undertaking issued to ensure that staff are sufficiently training in both the usage of and policies relating to the transmission of data via, fax machines.
Insufficiently clear instructions and training was provided to staff.
19 April 2011.
View PDF of the Borough of Poole Undertaking (Via ICO Website)
View PDF of the Borough of Poole Undertaking (Breach Watch Archive)
Possible loss of sensitive personal information.
Three records
Discovery that some hard copy files relating to cases could not be accounted for.
ICO
Undertaking issued to ensure that all correspondence regarding personal data is adequately protected and a permanent system for the logging of data is put into place.
It was impossible, due to insufficient data tracking, to be sure if the data had ever been received by the data controller, let alone lost.
15 April 2011.
View PDF of the Council for Healthcare Regulatory Excellence Undertaking (Via ICO Website)
View PDF of the Council for Healthcare Regulatory Excellence Undertaking (Breach Watch Archive)
Loss of sensitive personal information.
One record.
The information was erroneously included with documentation sent to an unrelated third party.
ICO
Undertaking issued to ensure that documentation containing personal data is not printed when there is no need to do so.
The information was mistakenly collected from a shared printer by an employee who failed to check that the documentation was only for their case. A lack of quality control prevented this error from being discovered until it was too late.
05 April 2011.
View PDF of the City of York Council Undertaking (Via ICO Website)
View PDF of the City of York Council Undertaking (Breach Watch Archive)
Loss of sensitive personal data.
Unknown.
Personal data belonged to the data controller was dumped in a skip, which was later stolen.
ICO
Undertaking issued to ensure that staff are made aware of the data controller’s policy on the disposal of confidential waste
The data should never have been disposed of in a skip. The data controller had a written contract with a third party for the disposal of confidential waste, but on this occasion there was confusion as to the confidential nature of the waste.
15 March 2011.
View PDF of the Wolverhampton City Council Undertaking (Via ICO Website)
View PDF of the Wolverhampton City Council Undertaking (Breach Watch Archive)
Inappropriate disclosure of personal information.
39 records.
A document containing personal details was provided during court proceedings to the defendant without the appropriate redactions in place.
ICO
Undertaking issued to ensure that procedures for dealing with subject access requests are clearly defined, managed, and checked.
This was the second time such an event had occurred.
25 February 2011.
View PDF of the Doncaster Metropolitan Borough Council Undertaking (Via ICO Website)
View PDF of the Doncaster Metropolitan Borough Council Undertaking (Breach Watch Archive)