Scottish Court Service

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Court documents were discovered at a recycling centre, inappropriately disposed of.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

The papers had been given to a law reporter, but no checks had been made regarding the security of his procedures prior to sharing the data.

When

05 January 2011

Links

View PDF of the Scottish Court Service Undertaking (Via ICO Website)

View PDF of the Scottish Court Service Undertaking (Breach Watch Archive)

Hertfordshire County Council

Posted on by

Breach details

What Loss of highly sensitive personal information by fax.
How much 47 records.
When 11 June 2010
Why Two faxes were sent to the wrong recipients.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 22 November 2010

Why the regulator acted

Breach of act Faxes sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known The ICOs advice on faxing protocols after the first incident were ignored, but the risk had been made clear.
Likely to cause damage or distress Data relating to vulnerable children.

Links

View PDF of the Hertfordshire County Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Hertfordshire County Council Monetary Penalty Notice (Via ICO Website)

Stoke-on-Trent City Council

Posted on by

What

Loss of sensitive personal information.

How much

40 records.

Why

An unencrypted memory stick containing social service records for 40 children was found by a member of the public. The memory stick was not password protected either.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

Although there was a legitimate reason for the data to be on a memory stick the one used was not an approved encrypted device.

When

22 November 2010

Links

View PDF of the Stoke-on-Trent City Council Undertaking (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Undertaking (Breach Watch Archive)

A4e Ltd

Posted on by

Breach details

What Loss of sensitive personal information.
How much 24,000 records.
When 18/19 June 210
Why Theft of an unencrypted laptop from staff member’s home.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 22 November 2010

Why the regulator acted

Breach of act Theft of an unencrypted laptop.
Inappropriate organisational and technical measures..
Known or should have known Data controller was aware of the possible consequences of laptops being stolen and had commenced a laptop encryption program.
Likely to cause damage or distress Financial and personal information of clients.

Links

View PDF of the A4e Ltd Monetary Penalty Notice (Breach Watch Archive)
View PDF of the A4e Ltd Monetary Penalty Notice (Via ICO Website)

Google

Posted on by

What

Mistaken collection of payload data.

How much

Unknown, but likely to be minimal.

Why

Google Streetview Vans, adapted to pick up on publically available Wi-Fi signals had mistakenly collected payload data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that Google puts in place improved training measures on security awareness and data protection issues for all employees. Project engineers will be required to maintain a privacy design document for every new project before it is launched. All the payload data must be deleted.

Reason for action

Google took rapid remedial action, however the fact that issue occurred at all was still of note. Google was required to facilitate a consensual audit by the ICO.

When

19 November 2010

Links

View PDF of the Google Undertaking (Via ICO Website)

View PDF of the Google Undertaking (Breach Watch Archive)

Independent Parliamentary Standards Authority (IPSA)

Posted on by

What

Potential loss of personal data.

How much

332 records.

Why

An internal database was left insecure for a period of about 21 hours following IT maintenance.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that appropriate changes are made to the records system to prevent any future errors.

Reason for action

A mistake made during IT maintenance made personal records visible to all MPs and their nominated staff who had access to the internal system.

When

12 November 2010

Links

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Via ICO Website)

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Breach Watch Archive)

Rainforest Alliance Ltd

Posted on by

What

Potential loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted Laptop during a domestic burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that staff are sufficiently trained and monitored in the Data controllers security policies.

Reason for action

Although the laptop was password protected and used with permission it was not encrypted and it emerged that only some of the data it contained had been backed up on the office server. It was concluded that the data controller had not provided adequate guidance on physical security.

When

11 November 2010

Links

View PDF of the Rainforest Alliance Ltd Undertaking (Via ICO Website)

View PDF of the Rainforest Alliance Ltd Undertaking (Breach Watch Archive)

Portsmouth City Council

Posted on by

What

Inappropriate disclosure of personal information.

How much

One record.

Why

Third-party data related to an individual was inappropriately released due to a SAR request.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all individuals dealing with SARS receive sufficient training and guidance.

Reason for action

It transpired that the individual tasked with redacting data for this type of request was neither an employee of the data controller nor acting under process as a data processor. It was also revealed the guidance and checking of these processes was inadequate.

When

19 October 2010

Links

View PDF of the Portsmouth City Council Undertaking (Via ICO Website)

View PDF of the Portsmouth City Council Undertaking (Breach Watch Archive)

Lord Chief Justice of Northern Ireland

Posted on by

What

Inappropriate disclosure of personal information.

How much

One record.

Why

A document containing an individual’s name and address was inadvertently attached to an email and sent to over three hundred individuals.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and are appropriately trained in procedures for distributing emails and adequate checks are carried out.

Reason for action

Although staff had received advice and training on data protection issues in general there was no written guidance or instructions on how to deal with this type of work.

When

19 October 2010

Links

View PDF of the Lord Chief Justice of Northern Ireland Undertaking (Via ICO Website)

View PDF of the Lord Chief Justice of Northern Ireland Undertaking (Breach Watch Archive)

North West London Hospitals NHS Trust

Posted on by

What

Loss of sensitive personal information .

How much

56 records.

Why

A computer printout containing patient information was left in a general folder used for auditing that was accidently left on a tube train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that psuedonymisation techniques are used where individual identification of patients is needed for audit work.

Reason for action

Although much audit work is carried out at home there was no need for this computer print out to contain the genuine identities of patients.

When

14 October 2010

Links

View PDF of the North West London Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the North West London Hospitals NHS Trust Undertaking (Breach Watch Archive)