Bolton Youth Offending Team

Posted on by

What
Loss of sensitive personal data.

How much
Three records.

Why
A camcorder containing video footage of two young offenders apologising to their young victim was stolen. Two laptops, which did not contain personal data, were also stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The camcorder was stored in a locked cabinet, but the storage room which contained it was not locked and the windows used to gain entry did not provide adequate security. The video footage should have been removed from the camcorder and either stored appropriately or destroyed.

When
28 April 2010

Links
View PDF of the Bolton Youth Offending Team Undertaking (Breach Watch Archive)

NCL (Bahamas) Ltd

Posted on by

What
Loss of personal data.

How much
80 records.

Why
A computer printout containing payroll information relating to the data controller’s UK employees was believed to have been stolen during an office move.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are at all times adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data. Adequate provision must be made for the secure transfer of personal data and procedures for this must be communicated to all staff, including removal contractors, in advance of any future office move or reorganisation.

Reason for action
The records were believed to have been stolen and were not suitably secure.

When
26 April 2010

Links
View PDF of the NCL (Bahamas) Ltd Undertaking (Breach Watch Archive)

South Yorkshire Pensions Authority

Posted on by

What
Loss of personal data.

How much
9,140 records.

Why
An unencrypted cd containing personal data relating to 9,140 pension scheme members was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The cd was being used as a working copy by administrative staff in the office environment and there was no indication it had been stolen. It had been created to provide staff easy access to data without full consideration of data security implications.

When
22 April 2010

Links
View PDF of the South Yorkshire Pensions Authority Undertaking (Breach Watch Archive)

Ysgol Bro Famau

Posted on by

What
Loss of sensitive personal data.

How much
A few records.

Why
A computer containing sensitive personal data relating to the data controller’s pupils was stolen from an administration.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The computer was stored on a desk in view of an insecure window. It was protected by a password but not encrypted. Investigations revealed that staff needed further training in data protection and that physical security was inadequate.

When
16 April 2010

Links
View PDF of the Ysgol Bro Famau Undertaking (Breach Watch Archive)

St James Primary School

Posted on by

What
Loss of sensitive personal data.

How much
27 records.

Why
A teacher’s bag containing an unencrypted memory stick was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data. Memory sticks are not to be used in conjunction with “Report Assist” software to store or transmit personal data.

Reason for action
The memory stick was the teacher’s personal property and contained pupil reports.

When
15 April 2010

Links
View PDF of the St James Primary School Undertaking (Breach Watch Archive)

Birmingham and Solihull Mental Health NHS

Posted on by

What
Loss of sensitive personal data.

How much
A few records.

Why
A laptop storing a number of details relating to patients who had received mental healthcare within the trust, together with a number of staff records, was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The laptop was stored stored in an unlocked filling cabinet in a secure, but not alarmed, office. At the time the majority of data stored on the laptop was out of data and had no business need to be retained.

When
9 April 2010

Links
View PDF of the Birmingham and Solihull Mental Health NHS Undertaking (Breach Watch Archive)

Warwickshire County Council

Posted on by

What
Loss of sensitive personal data.

How much
A few records.

Why
Two unencrypted laptops containing personal data relating to staff and pupils at a particular school were stolen. In a separate incident an unencrypted USB stick was lost or stolen from the administrative office of an education centre.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptops recorded data relating to two schools which were merging and had not been encrypted as they were only being used as a temporary measure in an office environment. Enquiries revealed that there were insufficient physical security measures in place and that the data controller was carrying out an incomplete program of encryption of portable devices.

The USB stick held minimal personal data, but an internal investigation revealed a lack of awareness of data protection requirements among staff and recommended further training and use of encrypted media.

When
19 March 2010

Links
View PDF of the Warwickshire County Council Undertaking (Breach Watch Archive)

The Royal London Mutual Insurance Society Ltd

Posted on by

What
Loss of personal data.

How much
2,135 records.

Why
18 laptops were lost or stolen from the data controller’s Edinburgh offices, two of which were unencrypted and contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
An internal investigation revealed that the data controller was uncertain of the precise location of these laptops at any given time. Physical security was insufficient and managers were unaware that the two laptops contained personal data.

When
16 March 2010

Links
View PDF of the Royal London Mutual Insurance Society Ltd Undertaking (Breach Watch Archive)

St Albans City and District Council

Posted on by

What
Loss of personal data.

How much
15,333 records.

Why
Four unencrypted laptops were stolen, one of which contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data. Adequate security checks must be carried out on contractor’s staff.

Reason for action
The laptop containing personal data was unencrypted (yet met Council IT security policy at the time) and contained redundant election data that had not been removed in a reasonable amount of time. It was later taken by contracted IT staff and left unsecured, later discovered to be missing along with 3 other laptops.

When
5 March 2010

Links
View PDF of the St Albans City and District Council Undertaking (Breach Watch Archive)

Redstone Mortgages Ltd

Posted on by

What
Loss of personal data.

How much
15,333 records.

Why
15,333 mortgage records were emailed to a member of the public by accident.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all reports containing personal data are suitably password protected and that this provision in entered into any contracts between the data controller and any data processors acting on its behalf.

Reason for action
The data was being transmitted to the data controller’s head office and several other recipients as part of a monthly analysis report. One of the recipients used an email address that was similar to a member of the public’s, which was mistakenly entered. The data was not encrypted or password protected.

When
19 February 2010

Links
View PDF of the Redstone Mortgages Ltd Undertaking (Breach Watch Archive)