The Foreign and Commonwealth Office

Posted on by

What
Loss of personal data

How much
Unknown.

Why
The ICO was informed by Ukvisas that there had been a breach of security in the VFS online visa application facility. The security breach resulted in the personal data of persons applying for visas to enter being viewable by others.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the VFS on-line application websites will not be re-opened and will be replaced by visa4UK. A strategic review of data processing will be undertaken by UKvisas in order to strengthen Data Protection Act risk management processes and a detailed audit carried out of the data processor’s data security procedures. The website will be regularly monitored and adequate and relevant data protection will be given to all UKvisas staff on an ongoing basis.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
19 October 2007

Links
View PDF of the Foreign and Commonwealth Office Undertaking (Breach Watch Archive)

The Northern Ireland Office

Posted on by

What
Inappropriate processing of personal data

How much
Unknown.

Why
The data controller failed to respond to a subject access request made by the data subject relating to the processing of personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all subject access requests received by the data controller are dealt with in compliance with the provisions contained within Section 7 of the Data Protection Act. Adequate and relevant training is provided to all employees who are engaged in the process of dealing with subject access requests.

Reason for action
The ICO had received a complaint about the data controller’s failure to respond to a subject access request.

When
9 July 2007

Links
View PDF of the Northern Ireland Office Undertaking (Breach Watch Archive)

Orange Personal Communications Services Limited

Posted on by

What
Loss of personal data

How much
A number of records.

Why
Members of staff who had recently commenced working for the company were allowed to share user names and passwords to access company computer systems holding the personal data of Orange customers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the sharing of user names and passwords by Customer Service Representatives, to access computer systems, shall not be allowed under any circumstances.

Reason for action
The ICO had received a complaint about the sharing of user names and passwords by Customer Service Representatives.

When
23 May 2007

Links
View PDF of the Orange Personal Communications Services Limited Undertaking (Breach Watch Archive)

Littlewoods Shop Direct Home Shopping Limited

Posted on by

What
Inappropriate processing of personal data.

How much
Unknown.

Why
The ICO received a complaint from a customer of the data controller who complained that they continued processing her personal data for the purpose of direct marketing despite a written notice to the contrary.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the personal details of the data subject are suppressed from all company databases to ensure that she will not receive any further marketing material from the data controller. The data controller must also review procedures currently in place to ensure that customers rights under Section 11 of the Act are upheld.

Reason for action
The data controller was continuing to the process the subject’s data, in violation of her rights.

When
21 May 2007

Links
View PDF of the Littlewoods Shop Direct Home Shopping Limited Undertaking (Breach Watch Archive)

Phones 4U Ltd

Posted on by

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from a refuse bin outside the Phones 4U premises in Market Way, Coventry, and Regent Street, Swindon. The information included documentation showing customer names and addresses, and bank account details.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all paper waste generated is to be treated as confidential and shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
17 May 2007

Links
View PDF of the Phones 4U Ltd Undertaking (Breach Watch Archive)

Dipesh Limited (Trading as Cash Generator)

Posted on by

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from a refuse bin outside the Cash Generator premises in Bridge Street, Nuneaton, including correspondence showing customer names and addresses.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all paper waste generated is to be treated as confidential and shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
23 April 2007

Links
View PDF of the Dipesh Limited (Trading as Cash Generator) Undertaking (Breach Watch Archive)

Post Office Limited

Posted on by

What
Loss of personal data

How much
250 records.

Why
Items of personal information were recovered from refuse bins used by the London Road Southampton, Rymans franchise branch of the data controller. The information consisted of 65 Firm E111 applications forms, 158 receipts, 12 travel insurance forms, eight daily passport schedules and a money transfer showing the name of seven customers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that data protection procedures are reviewed and updated where necessary to ensure that the correct procedures are in place for the handling and disposal of personal data. Staff must be sufficiently trained in these procedures.

Reason for action
The data controller had established procedures as evidenced by a declaration form (Form P13), but the breach nevertheless occurred and the ICO received complaints from members of the public.

When
26 February 2007

Links

View PDF of the Post Office Limited Undertaking (Breach Watch Archive)

The Royal Bank of Scotland plc

Posted on by

What
Loss of personal data

How much
23 records.

Why
Items of personal data were recovered from refuse bins outside branches in Fareham, Manchester, Nottingham and Glasgow, including documents relating to individual accounts and application forms, a private banking form and a photocopy of a customer’s provisional driving license.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to all relevant staff.

Reason for action
The ICO had received complaints about the data controller’s breach of the Seventh Data Protection Principle.

When
23 February 2007

Links

View PDF of the Royal Bank of Scotland plc Undertaking (Breach Watch Archive)

National Westgate Bank plc

Posted on by

What
Loss of personal data

How much
8 records.

Why
Items of personal data were recovered from refuse bins outside branches in Manchester and Southampton, including fax copies of insurance forms, two cut up debit cards and a list of a customers standing orders and direct debits.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of personal data and that appropriate data protection training is given to all relevant employees.

Reason for action
The ICO had received complaints about Westgate Bank’s failure to adhere to the Seventh Data Protection Principle.

When
23 February 2007

Links
View PDF of the National Westgate Bank plc Undertaking (Breach Watch Archive)

HFC Bank Limited

Posted on by

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the Newport Branch of the data controller, including a customer’s loan application form, a collections history printout and other miscellaneous papers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff and they are to be required to complete an online refresher course and test on a regular basis of at least once every two years.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
21 February 2007

Links
View PDF of the HFC Bank Limited Undertaking (Breach Watch Archive)