The Royal Hampstead NHS Trust

Posted on 8 June 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
20,000 records.

Why
An unencrypted disc containing patient information was discovered to be missing.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The disc was not encrypted and the member of staff responsible for downloaded the data was believed to have known of its loss for five months before reporting it. It’s whereabouts and the precise circumstances regarding its loss are unknown.

When
8 June 2009

Links
View PDF of the Royal Hampstead NHS Trust Undertaking (Breach Watch Archive)

Surrey and Sussex Healthcare NHS Trust

Posted on 3 June 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
103 records.

Why
A ward hand over sheet was lost and two unencrypted laptops were stolen.

Regulator
ICO

Reason for action
The hand over sheet was later located on a bus. The laptops were protected by three locked doors, but the investigation revealed that staff had poor knowledge of the requirement to store data relating to trust business on secure network drives.

When
3 June 2009

Links
View PDF of the Surrey and Sussex Healthcare NHS Trust Undertaking (Breach Watch Archive)

Chelsea & Westminster Hospital

Posted on 2 June 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
143 records.

Why
An unencrypted memory stick containing patient information was stolen from an unattended and unlocked office being used for a walk in clinic.

Regulator
ICO

Reason for action
The disc was not encrypted and in fact was not even password protected The employee was not aware that secure network drive and encryption facilities were available and had used a personal memory stick since Trust equipment was not available.

When
2 June 2009

Links
View PDF of the Chelsea & Westminster Hospital Undertaking (Breach Watch Archive)

The Highland Council

Posted on 2 June 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
1,400 records.

Why
Two unencrypted laptops were stolen from a locked office on the data controller’s premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to ensure that laptops are safely stored and encrypted.

Reason for action
The laptops were not encrypted and no additional physical security measures were in place beyond being placed in a locked office.

When
2 June 2009

Links
View PDF of the Highland Council Undertaking (Breach Watch Archive)

Amicus Legal Ltd

Posted on 28 May 2009 by BreachMaster

What
Loss of personal data.

How much
100,000 records.

Why
An unencrypted laptop containing personal data was stolen from the locked hotel room of a contracted consultent.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. Any data held on portable media must be encrypted. All staff must be made aware of this policy, including contracted consultants.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the transfer of the data in question on to a privately owned and unencrypted personal laptop.

When
28 May 2009

Links
View PDF of the Amicus Legal Ltd Undertaking (Breach Watch Archive)

Salford Royal NHS Foundation Trust

Posted on 22 May 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
3,500 records.

Why
An unencrypted desktop computer containing personal data was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. Any data held on portable media must be encrypted and only held for as long as absolutely necessary. Mandatory induction data protection training must to given to all staff.

Reason for action
The desktop computer was not secured to the desk or encrypted. Initially the incident was treated only as a loss of equipment, resulting in a delay of over one month in reporting and investigating the loss of personal data.

When
22 May 2009

Links
View PDF of the Salford Royal NHS Foundation Trust Undertaking (Breach Watch Archive)

First Response Finance Ltd

Posted on 11 May 2009 by BreachMaster

What
Loss of personal data.

How much
One record.

Why
The data controller was attempting to establish the current employment of an individual, for the purpose of an application to the Court for an Attachment of Earnings order. The fax which was brought to a District Judge’s attention contained questions asking for personal data which were irrelevant and execisve for the purpose.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that personal data is processed in accordance with the Act and in particular the First and Third Principles.

Reason for action
The data controller was asking for personal data without any necessity to do so.

When
11 May 2009

Links
View PDF of the First Response Finance Ltd Undertaking (Breach Watch Archive)

Leicester City Council

Posted on 7 May 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
About 80 records.

Why
An unencrypted USB memory stick containing data relating to about 80 children was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Staff must be suitable trained in these internal policies and sufficient supervisory checks must be put into place to ensure adherence.

Reason for action
The storage of personal data on an unencrypted USB stick was contrary to council policies and procedures, which required all such devices to be purchasing centrally through its IT department and encrypted.

When
7 May 2009

Links
View PDF of the Leicester City Council Undertaking (Breach Watch Archive)

Doncaster Primary Care Trust

Posted on 27 April 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
About 220,000 records.

Why
An obsolete out of hours GP service voice recording server that held the personal data of patients was removed without authorisation.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Adequate physical security measures must be put in place to protect such devices.

Reason for action
The obsolete server was removed by an external contractor’s engineer who installed a new server. The obsolete server was not missed until 3 weeks later when the new server failed. During this time the obsolete server was out of the Trust’s control for almost 3 weeks during which time it was briefly booted up twice. It is unlikely the clinical voice records it contained were accessed however.

When
27 April 2009

Links
View PDF of the Doncaster Primary Care Trust Undertaking (Breach Watch Archive)

Leasowes Community College

Posted on 20 April 2009 by BreachMaster

What
Loss of sensitive personal data.

How much
About 1,500 records.

Why
A unencrypted USB memory stick containing the personal data of pupils was found by a member of the public.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all storage devices must be sufficiently encrypted. All staff must receive adequate training in order to fulfil their obligations under such a policy.

Reason for action
The USB stick was of poor quality and unencrypted. It does not appear to have been missed and adequate relevant policies and staff training were not in place.

When
20 April 2009

Links
View PDF of the Leasowes Community College Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500