Better Together

Breach details

What Breach of the Privacy and Electronic Communications Regulations (PECR) – Sent text messages without the consent of the recipients.
How many 300,000 SMSs.
When 22 March 2013 and 27 April 2013.
Why Better Together were sending out text messages to individuals in Scotland regarding how they would vote in the Scottish Independence Referendum. However, they did not ensure the recipients had given their consent to be contacted as they believed another company had already done this on their behalf.

Regulatory action

Regulator ICO
Action Undertaking to comply with Regulation 22(2) of PECR.
When 19 November 2013.
Details Two rounds of texts were sent out even though Better Together had received a letter from the ICO warning them to comply with the law.

Great Ormond Street Hospital for Children NHS Foundation Trust

Breach details

What Letters containing medical information were sent to the wrong address.
How much 4 records.
When A period of 18 months up to November 2013.
Why Letters were sent out by temporary or bank staff who had not received relevant data protection training as such training was not required for temporary members of staff. Permanent staff were also not obliged to attend training as it was not enforced. In addition to this there were no policies or procedures in place to ensure the accuracy of addresses.

Regulatory action

ActionUndertaking to comply with the seventh data protection principle.

Regulator ICO
When 21 November 2013.
Details Temporary or bank staff must be provided with data protection training before working with personal and sensitive personal data and all training is to be monitored and attendance enforced. Processes are also to be put in place to ensure documents are sent to the right address and practical guidance is to be communicated to all staff.

North East Lincolnshire Council

Breach details

What Loss of an unencrypted USB stick containing personal and sensitive data relating to children with special educational needs including names, DOB and reports on mental and physical disabilities.
How much 286 records.
When 01 July 2011.
Why A special educational needs teacher working for the Special Educational Needs Support Service forgot to remove an unencrypted USB stick containing reports on 286 children from a laptop in the Council’s offices on leaving the office at the end of the day on 01 July. When the teacher tried to retrieve the USB stick they discovered it was gone and it has not been recovered to date. The USB stick had been issued in 2005 in order for the teacher to access neccessary data on their visits to schools and community locations that they performed during the majority of their time. An information security policy which had been in draft since 2009 was introduced in March 2011, four months prior to the incident, and specified that removable media such as USB sticks “must be encrypted”. However, unencrypted USB devices were not recalled until immediately after the incident and staff could only encrypt their devices through volunteer initiatives such as a ‘removable media pilot’ and an ‘encryption on request’ service. The member of staff in question had confirmed that they read and understood the new policy in June and had possibly received Data Protection Act e-learning training, but the training was non mandatory and cannot be confirmed.

Regulatory action

Regulator ICO
Action Monetary penalty of £80,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: appropriate measures were not taken to prevent the loss of personal data. In particular there was a lack of training on the importance of using encrypted devices, no technical controls restricting downloads, and no effective policies and controls in place.
Known or should have known Staff were used to dealing with sensitive personal information on a daily basis and had routinely stored this data on unencrypted USB sticks since at least 2005. The risks of using unencrypted USB sticks was identified in 2009 but not forbidden until 2011, and even then the Council continued to allow staff to use unencrypted devices in breach of its own policy. Although there was an encryption service available from this point it was voluntary and efforts to raise awareness were inadequate.
Likely to cause damage or distress The children and families concerned would suffer substantial distress knowing that their sensitive data may have been disclosed to third parties or could be in future, even though it appears that the data has not been disclosed thus far. If the data is accessed by untrustworthy third parties it could expose the children to damage to their health, education and personal relationships.

Ministry of Justice

Breach details

What Emails containing sensitive personal data concerning prison inmates accidentally sent to members of the public. This information included coded offences, addresses, identifying physical characteristics and location within the prison.
How much Three emails containing the details of 1,182 prisoners.
When 04 July, 11 July and 01 August 2011.
Why Each day HMP Cardiff manually transfers prisoner details from their network system Quantum onto a biometrics database in order to facilitate visits and other prisoner movements. The data is copied and pasted through Windows Explorer and thus can remain on the clipboard of Quantum. On 01 August the prisoner details were accidentally attached to an email to a member of the public booking a visit to a family member in HMP Cardiff. The individual reported this incident the next day and it was only at this point that the previous two emails came to light as they had not been reported by their recipients or noticed by the prison. Each email was sent by the same recently appointed booking clerk. Shortly after the breach was reported each recipient confirmed in writing that the data had not been disseminated further and was fully deleted; physical access was allowed to confirm this for two of the recipients and the other had already double-deleted the message and attachment.

Regulatory action

Regulator ICO
Action Monetary penalty of £140,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: there should have been a more secure method of carrying out routine transfers of high volumes of personal data. More effective training and supervision should also have been provided, along with clear written procedures for the data transfers.

The monetary penalty notice has been imposed to promote compliance with the Act and standardisation across the prison service to prevent similar incidents occurring elsewhere.

Known or should have known As the Ministry of Justice routinely handles sensitive personal information and carries out high volume daily data transfers it should have been obvious that a breach could result in substantial distress and that there was a potential for human error in the absence of technical measures, written guidelines and appropriate training.
Likely to cause damage or distress The coded offences were deemed by the Commissioner to be particularly likely to cause damage or disress as almost all of the coded offences are easily recognisable. Fortunately the emails were only sent to one person on each occasion but had the data got into the wrong hands, such as an inmate’s rival, it would have raised the level of distress. The Prison decided not to disclose the breach to the prisoners as those at risk of self-harm might have suffered additional anxiety, confirming that some prisoners would suffer greater distress than others.

Panasonic UK

Breach details

What Theft of an unencrypted laptop containing personal data including names, passport details, addresses and contact details.
How much 970 records.
When 08 August 2012.
Why An unencrypted, unsecured laptop containing the details of 970 individuals who had attended hospitality events organised by Panasonic UK was stolen from an unlocked hotel room. These events were being run by a third party company on behalf of Panasonic, and Panasonic’s comprehensive data protection policies that would have prevented this breach were therefore not automatically applied. However, it appears that these policies were not communicated to the company and the data protection provisions listed in the contract were extremely limited. Moreover, passport information was collected from all guests and then retained regardless of whether this information was necessary.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When Unknown.
Details Panasonic UK is to ensure that all third party company data controllers are governed by adequate contracts and checks to ensure that they are complying with data protection policies. Panasonic are also to ensure that personal data is only collected for a specified, valid purpose and is not retained for longer than is necessary. Other security measures should be implemented as appropriate.

Royal Veterinary College

Breach details

What Theft of a camera memory card containing passport images of multiple job applicants.
How much An unknown number.
When December 2012.
Why A memory card containing applicant passport photos was stolen from a camera owned by an employee, and thus fell outside the RVC’s policies and procedures. However, the possiblity of the use of personal devices in the workplace was not accounted for in these policies. Staff data protection training is also inadequate and is not being proactively addressed to prevent similar issues occurring in the future.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 15 October 2013.
Details The RVC is to implement mandatory induction and annual refresher training to all staff who routinely process personal information by 30 April 2014. This training is to be recorded and monitored, and follow-up procedures are to be implemented to ensure that all staff complete this training. In addition to training, all portable and mobile devices used to transmit personal data are to be encrypted and advice given on the use of personal devices.

Hillingdon Hospitals NHS Foundation Trust

Breach details

What Cancer referral forms containing sensitive clinical data found in the possession of a local newspaper.
How much Four records.
When Reported on 05 July 2012.
Why The cancer referral forms were prepared for transfer between The Hillingdon Hospital and Mount Vernon Hospital but failed to arrive through the internal mail system. Staff were aware the documents had not arrived but did not escalate the incident. It is unclear at what point the documents left the possession of the Trust and how they were acquired by the newspaper.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 07 October 2013.
Details The Trust is to implement breach reporting mechanisms and manage an escalation process if personal data does not arrive at its destination. Staff are to be made aware of all procedures and requirements.

Cardiff and Vale University Health Board

Breach details

What Loss of a bag containing sensitive personal data including a mental health act tribunal report, a solicitor’s letter, and five CV’s.
How much Documents relating to at least seven individuals.
When 26 November 2012.
Why A consultant psychiatrist lost their bag containing these documents when cycling home from the office. The documents were necessary for the consultant to work outside of the office environment, but although other more secure means of transporting the data or remote server access were available they were not communicated clearly to staff. The individual also did not receive induction training (including on data protection) until after the incident had occurred.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 04 October 2013.
Details The Health Board is to immediately implement a security policy concerning the removal and security of data off site and provide training to all staff in how to follow it, as well as mandatory training on data protection. Assessments are also to be made on the suitability of an individual working from home and appropriate arrangements made. Finally, a protective marking scheme is to be introduced.

Jala Transport Limited

Breach details

What Theft of an unencrypted hard drive containing sensitive personal data, including proofs of address and proofs of identity.
How much 250 records.
When 3 August 2012.
Why A briefcase containing an unencrypted hard drive, some documents and approximately £3,600 in case was stolen from the proprietor’s car when it was stuck in traffic. The external hard drive, as the only copy of the company’s customer database, was taken home each day to prevent theft and was protected by an 11-character password. It has not been recovered.

Regulatory action

Regulator ICO
Action Monetary penalty of £5,000.
When 24 September 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the company failed to take appropriate measures against the accidental loss or theft of personal data.
Known or should have known The company was used to dealing with large amounts of personal data on a daily basis and had taken some steps to protect it by having it password protected and taking it home overnight. However, the Commissioner’s office published guidance notes in 2007 promising enforcement action against companies suffering thefts of unencrypted data from vehicles, dwellings or inappropriate places. The company should have encrypted the data and transported it in a more secure way, such as in the boot of the car.
Likely to cause damage or distress The disclosure of personal information of the data subjects to unauthorised third parties is likely to cause them substantial distress, particularly as the hard drive has not been recovered. There is also the risk of identity fraud or financial loss.

Luton Borough Council

Breach details

What Personal data including information on the health and ethnicity of the data subjects.
How much Two cases.
When December 2012 and January 2013.
Why Two separate incidents involved incorrect handling of personal data by social work staff. In the first case an email containing personal information about a family was sent across an unsecured internet connection and also sent to an agency unconnected to the family. In the second case papers were lost in an accident when a member of staff took them home when leaving work early due to severe weather.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 11 September 2013.
Details Staff are to be trained in how to follow the Council’s procedures for the storage and use of personal data by 30 November 2013. Training is also required before staff are granted access to the Council’s sytems and should be refreshed within two years. In addition to training new procedures covering such issues as the transporting of personal data outside of the office must be drafted by 30 November.