Buckinghamshire County Council

Posted on 8 July 2010 by BreachMaster

What
Loss of sensitive personal information.

How much
Two records.

Why
Loss of documents containing sensitive personal data included in a plastic wallet with flight and accommodation details given to a social work employee flying to another UK city.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that a proper risk assessment is carried out prior to the removal from the office environment of documents containing sensitive personal data and that they are sufficiently secure in transit.

Reason for action
It was felt that the implications of including the case documents with the travel documents during the journey had been insufficiently considered.

When
8 July 2010

Links

View PDF of Buckinghamshire County Council Undertaking (Via ICO Website)

View PDF of Buckinghamshire County Council Undertaking (Breach Watch Archive)

Kent Police

Posted on 18 June 2010 by BreachMaster

What
Loss of personal data.

How much
Unknown.

Why
Theft of documents containing personal information from a police officer’s car while it was parked overnight.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies covering the transportation of data are made clear and are regulated. Where necessary staff must be given secure transportation and storage facilities for data outside of the office

Reason for action
The officer had not used his secure briefcase to transport the papers, nor had he been provided with a secure storage facility at his home in breach of the data controller’s policy

When
18 June 2010

Links
View PDF of the Kent Police Undertaking (Via ICO Website)

View PDF of the Kent Police Undertaking (Breach Watch Archive)

West Sussex County Council

Posted on 17 June 2010 by BreachMaster

What
Loss of sensitive personal information.

How much
Unknown.

Why
Theft of an unencrypted laptop from an employee’s home

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store personal data are sufficiently encrypted and that staff are made aware of policies on data protection.

Reason for action
Enquiries revealed that the employee had not received any formal data protection/IT security training and was unaware of how to access the data controller’s secure network drive remotely. Although encrypted removable media was available to staff no technical measures were yet in place to enforce their use and it was also discovered that about 2,300 unencrypted laptops were likely to still be in use.

When
17 June 2010

Links
View PDF of West Sussex County Council Undertaking (Via ICO Website)

View PDF of West Sussex County Council Undertaking (Breach Watch Archive)

London Borough of Barnet

Posted on 15 June 2010 by BreachMaster

What
Loss of sensitive personal information.

How much
Over 9,000 records.

Why
Theft of an encrypted laptop and unencrypted USB and CDs from an employee’s home.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are sufficiently encrypted and that staff are suitably trained in the data controller’s policies on data protection, which must be regularly monitored. Finally the data controller shall agree to a further audit by the ICO within the current fiscal year, to ensure that the requirements of this undertaking are met.

Reason for action
The employee had downloaded the data into the unencrypted devices without authorisation, though enquires revealed that insufficient measures were in place to prevent staff from doing so.

When
15 June 2010

Links
View PDF of London Borough of Barnet Undertaking (Via ICO Website)

View PDF of London Borough of Barnet Undertaking (Breach Watch Archive)

Basingstoke and North Hampshire NHS Trust

Posted on 15 June 2010 by BreachMaster

What
Unnecessarily sharing of sensitive personal data

How much
917 records

Why
An excessive amount of data was emailed to another Trust partner via a non-secure email account

Regulator
ICO

Regulatory action
Undertaking issued to ensure that staff are given sufficient training and that only the minimum data for the intended purpose is extracted or transferred.

Reason for action
The spreadsheet containing the records was not passport protected and the department had no “business need” to have access to the clinical data.

When
15 June 2010

Links
View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Via ICO Website)

View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Breach Watch Archive)

West Berkshire Council

Posted on 27 May 2010 by BreachMaster

What

Loss of sensitive personal data.

How much

Unknown.

Why

Loss of an unencrypted USB stick containing sensitive personal data. This was the second data security incident reported by the data controller within 6 months.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store sensitive personal data are encrypted to a sufficient standard.

Reason for action

The USB stick had been used in 2005 by a member of the data controller’s social work department and was not encrypted or password-protected. Although the data controller had provided encrypted USB sticks since 2006 it never required the return of previously used unencrypted media devices.

When

27 May 2010

Links

View PDF of West Berkshire Council’s Undertaking (Via ICO Website)

View PDF of West Berkshire Council’s Undertaking (Breach Watch Archive)

Lampeter Medical Practice

Posted on 26 May 2010 by BreachMaster

What
Loss of personal data.

How much
8,000 records.

Why
Loss of an unencrypted memory stick that was posted by recorded delivery.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that any portable media devices used to store data are sufficiently encrypted and that physical security measures are put in place to prevent unauthorised access to physical data, particularly in respect to the unauthorised use of memory sticks.

Reason for action
A practical database was downloaded, without authorisation onto an unencrypted and non password protected memory stick

When
26 May 2010

Links
View PDF of the Lampeter Medical Practice Undertaking (Via ICO Website)

View PDF of the Lampeter Medical Practice Undertaking (Breach Watch Archive)

NHS Stoke-on-Trent

Posted on 11 May 2010 by BreachMaster

What

Possible loss of sensitive personal data.

How much

2,000 records

Why

Following a request for information about a patient’s medical records it was discovered that the physical paper records were not within the storage system, later enquiries revealed that about 2,000 records had not been stored

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate physical security for physical records is provided.

Reason for action

It is believed that the records may have been accidently destroyed or misfiled. Insufficient physical security and tracking was maintained.

When

11 May 2010

Links

View PDF of the NHS Stoke-on-Trent Undertaking (Via ICO Website)

View PDF of the NHS Stoke-on-Trent Undertaking (Breach Watch Archive)

King’s College London

Posted on 5 May 2010 by BreachMaster

What
Loss of sensitive personal data.

How much
About 200 records.

Why
A mini-Mac computer and several laptops were stolen from an academic office of the data controller in a teaching hospital.

In a second incident several months later two laptops were stolen from another teaching hospital.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
None of the machines were encrypted and it was discovered that the laptops were not normally locked away or physically secured when not in use. Enquiries revealed that staff training and awareness in relation to data protection responsibilities were inadequate. A similar incident had occurred in June 2009 but the data controller did not appear to have incorporated lessons learnt from that incident sufficiently into its wider policies and procedures.

When
5 May 2010

Links
View PDF of the King’s College London Undertaking (Breach Watch Archive)

Eastbourne Borough Council

Posted on 29 April 2010 by BreachMaster

What
Loss of personal data.

How much
Three records.

Why
Three unencrypted laptops were stolen from the general office.

Regulator
ICO

Reason for action
The office had a electronic lock that staff knew to be faulty and the laptops were neither encrypted nor physically secured to the desks or locked away. The data controller had recently relocated and staff did not have access to the central network for some time, resulting in the use of the laptop to store and update a database containing personal information.

When
29 April 2010

Links
View PDF of the Eastbourne Borough Council Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500