Category Archives: Local Government

Cambridgeshire County Council

Posted on by

What

Loss of sensitive personal information.

How much

A minimum of six records.

Why

An unencrypted memory stick containing the records was lost by a member of staff.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made fully aware policies related to the encryption of portable media devices.

Reason for action

Employees were issued with encrypted memory sticks, but following a technical difficulty with the encryption function the employee used an unencrypted and unauthorised device.

When

23 February 2011.

Links

View PDF of the Cambridgeshire County Council Undertaking (Via ICO Website)

View PDF of the Cambridgeshire County Council Undertaking (Breach Watch Archive)

Isle of Anglesey County Council

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Undertaking issued to ensure that any processing of data by another party in carried out under a written contract with instructions regarding security and processing clearly outlined.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The data controller has no written contract in place with the data processor, nor had the controller provided instructions on the security and processing of the data. Both of these violate the Act.

When

18 February 2011.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)

Ealing Council

Posted on by

Breach details

What Loss of sensitive personal information.
How much 958 records.
When 2010
Why Theft of two unencrypted laptops (one work-issued, one personal) from a staff member’s home. The employee had been involved in a breach before, but no remedial action was taken. No home working risk assessment undertaken (although this was in policy).

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 08 February 2011

Why the regulator acted

Breach of act Unencrypted tapes were stolen, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known Data controller was aware of the possible consequences of the such an event, since policies were in place requiring home assessment and encryption of laptops. Both these policies were breached.
Likely to cause damage or distress Personal data of clients.

Links

View PDF of the Ealing Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Ealing Council Monetary Penalty Notice (Via ICO Website)

Hounslow Council

Posted on by

Breach details

What Loss of sensitive personal information.
How much 698 records.
When 2010
Why Theft of unencrypted laptop from staff member’s home. There was no written contract in place with Ealing Council who processed the data.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 8 February 2011

Why the regulator acted

Breach of act Theft of unencrypted laptop.
Inappropriate organisational and technical measures.
Known or should have known There were no policies requiring the encryption of laptops and the data processors policies were not monitored, despite the data controller having their own Information Security Policy.
Likely to cause damage or distress Personal information of clients.

Links

View PDF of the Hounslow Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Hounslow Council Monetary Penalty Notice (Via ICO Website)

Scottish Court Service

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Court documents were discovered at a recycling centre, inappropriately disposed of.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

The papers had been given to a law reporter, but no checks had been made regarding the security of his procedures prior to sharing the data.

When

05 January 2011

Links

View PDF of the Scottish Court Service Undertaking (Via ICO Website)

View PDF of the Scottish Court Service Undertaking (Breach Watch Archive)

Hertfordshire County Council

Posted on by

Breach details

What Loss of highly sensitive personal information by fax.
How much 47 records.
When 11 June 2010
Why Two faxes were sent to the wrong recipients.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 22 November 2010

Why the regulator acted

Breach of act Faxes sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known The ICOs advice on faxing protocols after the first incident were ignored, but the risk had been made clear.
Likely to cause damage or distress Data relating to vulnerable children.

Links

View PDF of the Hertfordshire County Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Hertfordshire County Council Monetary Penalty Notice (Via ICO Website)

Stoke-on-Trent City Council

Posted on by

What

Loss of sensitive personal information.

How much

40 records.

Why

An unencrypted memory stick containing social service records for 40 children was found by a member of the public. The memory stick was not password protected either.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

Although there was a legitimate reason for the data to be on a memory stick the one used was not an approved encrypted device.

When

22 November 2010

Links

View PDF of the Stoke-on-Trent City Council Undertaking (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Undertaking (Breach Watch Archive)

Portsmouth City Council

Posted on by

What

Inappropriate disclosure of personal information.

How much

One record.

Why

Third-party data related to an individual was inappropriately released due to a SAR request.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all individuals dealing with SARS receive sufficient training and guidance.

Reason for action

It transpired that the individual tasked with redacting data for this type of request was neither an employee of the data controller nor acting under process as a data processor. It was also revealed the guidance and checking of these processes was inadequate.

When

19 October 2010

Links

View PDF of the Portsmouth City Council Undertaking (Via ICO Website)

View PDF of the Portsmouth City Council Undertaking (Breach Watch Archive)

Buckinghamshire County Council

Posted on by

What
Loss of sensitive personal information.

How much
Two records.

Why
Loss of documents containing sensitive personal data included in a plastic wallet with flight and accommodation details given to a social work employee flying to another UK city.
Regulator
ICO

Regulatory action
Undertaking issued to ensure that a proper risk assessment is carried out prior to the removal from the office environment of documents containing sensitive personal data and that they are sufficiently secure in transit.

Reason for action
It was felt that the implications of including the case documents with the travel documents during the journey had been insufficiently considered.

When
8 July 2010

Links

West Sussex County Council

Posted on by

What
Loss of sensitive personal information.

How much
Unknown.

Why
Theft of an unencrypted laptop from an employee’s home

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store personal data are sufficiently encrypted and that staff are made aware of policies on data protection.

Reason for action
Enquiries revealed that the employee had not received any formal data protection/IT security training and was unaware of how to access the data controller’s secure network drive remotely. Although encrypted removable media was available to staff no technical measures were yet in place to enforce their use and it was also discovered that about 2,300 unencrypted laptops were likely to still be in use.

When
17 June 2010

Links
View PDF of West Sussex County Council Undertaking (Via ICO Website)

View PDF of West Sussex County Council Undertaking (Breach Watch Archive)