Abertawe Bro Morgannwg University NHS Trust

Posted on by

What
Loss of personal data.

How much
5,000 records.

Why
An unencrypted laptop containing sensitive personal data relating to approximately 5,000 patients was stolen from an unlocked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the portable and mobile devices are encrypted to a suitable standard.

Reason for action
The Laptop was unencrypted and the office was not locked as it usually would have been.

When
14 January 2009

Links
View PDF of the Abertawe Bro Morgannwg University NHS Trust Undertaking (Breach Watch Archive)

Tees, Esk and Wear Valleys NHS Foundation Trust

Posted on by

What
Loss of personal data.

How much
Unknown.

Why
An unencrypted data stick holding personal data and sensitive personal data relating to health patients and trust staff was found by a member of the public and handed in to the press.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that only data sticks with suitable encryption are used by Trust staff and that an adequate encryption policy and procedures are put in place. All staff must be given appropriate data protection training.

Reason for action
The lost data stick was unencrypted and there was no encryption policy in place.

When
2 January 2009

Links
View PDF of the Tees, Esk and Wear Valleys NHS Foundation Trust Undertaking (Breach Watch Archive)

Hampshire Partnership NHS Trust

Posted on by

What
Loss of personal data.

How much
1,161 records.

Why
1,161 Trust payslips containing employee personal data were lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the transporting of all personal data should be risk assessed, and where appropriate, tracked. A review of all internal post procedures should be conducted for security purposes. All staff must receive adequate data protection training.

Reason for action
It could not be explained where or how the payslips had gone missing.

When
19 December 2008

Links
View PDF of the Hampshire Partnership NHS Trust Undertaking (Breach Watch Archive)

Virgin Media Limited

Posted on by

What
Loss of personal data.

How much
3,383 records.

Why
An unencrypted compact disc containing the personal data of 3,383 customers passed on to the data controller by Carphone Warhouse was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that media devices used to transport and store personal data are encrypted and that any contracts between the data controller and any data processors require this.

Reason for action
The lost CD was unencrypted and the arrangement between the data controller and data processor was insufficient.

When
17 September 2008

Links
View PDF of the Virgin Media Limited Undertaking (Breach Watch Archive)

Merchant Securities Group

Posted on by

What

No breach.

How much

None.

Why

FSA thematic visit.

Regulator

FSA

Regulatory action

Monetary penalty – £77,000

Reason for action

  • Inadequate risk assessment.
  • Poor control over backup media.

When

13 June 2008

Links

View the press release relating to Merchant Securities Group on the FSA website

View PDF of the Merchant Securities Group Final Notice (via FSA website)

View PDF of the Merchant Securities Group Final Notice (Breachwatch archive)

Shirley (Warwickshire) Royal British Legion Club Ltd

Posted on by

What
Unspecified breach of the Seventh Data Protection Principle.

How much
Unknown.

Why
Unknown.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that personal data is processed in accordance with the Seventh Data Protection Principle in Schedule 1 Part 1 of the Act.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
20 March 2008

Links
View PDF of the Shirley (Warwickshire) Royal British Legion Club Ltd Undertaking (Breach Watch Archive)

Skipton Financial Services Limited

Posted on by

What
Inappropriate processing of personal data

How much
Unknown.

Why
An unencrypted laptop computer was stolen from Moore Stephens Consulting, who had been engaged to provide professional consultancy services to SFS in relationship to a software development project.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that sensitive personal data must be encrypted. Risk assessments must be carried out to confirm the adequacy and effectiveness of technical and organisational security measures, including those taken by third parties.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
18 February 2008

Links
View PDF of the Skipton Financial Services Limited Undertaking (Breach Watch Archive)

Southampton City Primary Care Trust

Posted on by

What
Loss of personal data.

How much
168 records.

Why
168 Trust payslips containing employee personal data were lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the transporting of all personal data should be risk assessed, and where appropriate, tracked. A review of all internal post procedures should be conducted for security purposes. All staff must receive adequate data protection training.

Reason for action
It could not be explained where or how the payslips had gone missing.

When
13 January 2008

Links
View PDF of the Southampton City Primary Care Trust Undertaking (Breach Watch Archive)

Norwich Union Life

Posted on by

What

  • Disclosure of personal information to fraudsters.
  • Fraudulent policy surrender

How much

  • 632 records
  • 74 records

Why

Telephone based fraudsters used publically available information (name, DoB etc) to impersonate customers and gain access to accounts.

Regulator

FSA

Regulatory action

Monetary penalty – £1,260,000

Reason for action

Aware of threat but took inadequate countermeasures except in case of Aviva group directors.

When

17 December 2007

Links

View the press release relating to Norwich Union Life on the FSA website

View PDF of the Norwich Union Life Final Notice (via FSA website)

View PDF of the Norwich Union Life Final Notice (Breachwatch archive)

The Department of Health

Posted on by

What
Inappropriate processing of personal data

How much
Unknown.

Why
The personal details of junior doctors held on the Medical Training Application Service (MTAS) website was readily accessible to any person accessing the website.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that sensitive personal data held on the website must be encrypted. Instructions and advice as to the use of passwords and PIN numbers be given to the data controller to those entitled to access the site. Staff will be given appropriate training and regular penetration and vulnerability testing of developing applications and systems to minimise unauthorised access.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
4 December 2007

Links
View PDF of the Department of Health Undertaking (Breach Watch Archive)