Health & Care Professions Council

Breach details

What Documents containing personal data relating to a ‘fitness to practice’ hearing.
How much An unknown number of documents.
When 2011.
Why A suitcase containing documents relating to a ‘fitness to practice’ hearing was stolen from a train. The solicitors who had prepared these documents had not signed a contract to act only under instruction from the Data Controller, and had not been provided with specific guidance on the redaction of these documents for hearings.

BW Comments

It is strange the the ICO highlights the lack of an adequate contract between the Data Controller and their solicitor. Surely the normal contract of engagement between a client and solicitor would provide the necessary requirements of confidentiality and that the solicitor should only act on the client’s instructions?

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 09 July 2013.
Details The Data Controller is to immediately enter into a contract with its solicitors and issue instructions regarding the processing of personal data. In addition, agents and contractors given access to personal data are to be provided with specific guidance around data security; compliance with policies on data protection is to be regularly monitored; and security measures are to be implemented to protect personal data.

NHS Surrey

Breach details

What Loss of personal data and sensitive personal data.
How much Approximately 1,570 hard drives. An unspecified number of records.
When 08 March 2010 – 02 July 2012
Why Between 08 March 2010 and 28 May 2012 hard drives containing sensitive personal data were collected for destruction and disposal by a company claiming to specialise in IT disposal. On 29 May 2012 it was found that PCs containing these hard drives were being sold by a third party company via an online auction site. So far ten of the supposedly destroyed hard drives have been reclaimed. The data controller has been unable to trace the destinations of the remaining PCs.

BW Comments

Disposal of drives is a recurring topic for information security professionals and the Commissioner. As it is easy to select a company with independent certification it really is unbelievable that organisations continue to contract with random companies that claim to offer destruction services. This MPN should also act as a reminder that a ‘certificate of destruction’ is just a piece of paper – there’s no substitute for watching your old hard drives being put through an industrial shredder.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 18 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: NHS Surrey failed to ensure the physical destruction of personal data stored on its hard drives. No proper risk assessment of the data processor was taken; there was no written contract with the data processor requiring the company to comply with regulations; and NHS Surrey did not take appropriate steps to ensure complaince with the regulations.
Known or should have known NHS Surrey was used to dealing with confidential and personal data on a daily basis and should have known that there was a risk that contravention could occur unless reasonable steps were taken, particularly as some of the ‘Data Devices Destroyed’ certificates issued before January 2011 stated that the hard drives had been ‘wiped/destroyed/recycled’. This project should have been afforded the highest level of security.
Likely to cause damage or distress Data subjects are likely to have suffered substantial distress knowing that their personal data has been retrieved by a member of the public and might have been offered for sale to unauthorised third parties. They could also be concerned that their data might be further disseminated.

BW Observations

This case is very similar to the Brighton and Sussex University Hospitals NHS Trust case, although here NHS Surrey moved quickly to rectify the problem and didn’t compound the problem by its own actions. In the MPN the ICO made an indirect reference to the Brighton and Sussex case but levied only 60% of the penalty (£200K vs £325K) on NHS Surrey for losing a around 60% more disks (1,570 vs 1,000).

Leeds City Council

Breach details

What Personal and sensitive (health) personal data.
How much An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details.
When Not specified.
Why During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem.

BW Comments

If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 30 November 2012
Details The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data.

BW Observations

It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty.

Rio 2016 staff downloaded files illegally during Olympic transfer programme

What
Possible loss of personal data.

How much
Unknown.

Why
 Rio Olympics employees, thought to have been working in the London 2012 technology department, downloaded files without authorisation during the official Olympic knowledge transfer programme.

The original report by Brazilian journalist Juca Kfouri suggests the ‘hack’ was discovered by London 2012 staff when details of unauthorised access were found in log files. Kfouri’s blog entry suggests the files were highly confidential and included information about strategic planning and security. The nature and content of the files has not been confirmed by LOCOG, although officials, playing down the incident, said the documents would probably have been provided to the Rio team had they requested them.

The report of the incident in the Brazilian online portal UOL suggests no personal data was compromised.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
September 2012

Links

Scottish Borders Council

Breach details

What Loss of sensitive personal data.
How much 676 records.
When 10 September 2011
Why A member of the public noticed that a paper recycling bank had been overfilled with discarded files that contained personal information. Investigation showed that eight boxes containing 676 files had been deposited in the recycling bank by a data processor working for the council.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000£ 0
Overturned on appeal to the Information Rights Tribunal
When 11 September 2012

Why the regulator acted

Breach of act There was no contract in place between the data controller and the data processor. Documents scanned for the data controller by the data processor should have been disposed of securely, or returned in person.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees, including financial data and details of a pension scheme. The seriousness of such data should have been self evident.
Likely to cause damage or distress Financial and Medical data. The arrangement had been in place since 2005 and approximately 9000 pension records would have been processed and possibly incorrectly disposed of.

Appeal

The MPN was overturned on appeal to the Information Tribunal.
View PDF of the Scottish Borders Council Appeal (Information Tribunal)

Brighton and Sussex University Hospitals NHS Trust

Breach details

What Loss of sensitive personal information.
How much 79,000 records.
When March 2008
Why Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 325,000
When 1 June 2012

Why the regulator acted

Breach of act Failure to select a data processor able to provide gurantees of technical security – loss of hard drives.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress Medical Data of Patients.

Zurich Insurance plc

What
Loss of personal data.

How much
6,800 records.

Why

Unencrypted backup tape lost by the data processor.

Regulator
ICO

Regulatory action

Undertaking issued to ensure that where any future movement of backup tapes is required appropriate data security measures, including encryption, are taken. Staff and external contractors must be made aware of security procedures and trained to follow them. Adequate checks must be carried out on contractor’s staff and effective controls must be put in place to monitor and report potential or actual data loss activity.

Reason for action

Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.

When
7 March 2010

Links
View PDF of the Zurich Insurance plc Undertaking (Breach Watch Archive)

Basingstoke and Deane Borough Council

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)

E*Trade Securities Ltd.

What

Loss of sensitive personal data.

How much

608 records.

Why

Files containing personal data relating to clients in the Middle East were identified as missing from storage in the UK having been couriered from ETSL-Dubai.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any processing of personal data carried out by a data processor on behalf of the data controller is carried out under a contract made and evidenced in writing and that a detailed record of all personal data couriered internally is kept.

Reason for action

The investigation revealed that the data controller had no contractual agreement “made and evidenced in writing” with their UK data processor, nor had instructions on the security and processing of this personal data provided.

When

03 February 2012.

Links

View PDF of the E*Trade Securities Ltd. Undertaking (Via ICO Website)

View PDF of the E*Trade Securities Ltd. Undertaking (Breach Watch Archive)

Newcastle Youth Offending Team

What

Loss of sensitive personal data.

How much

100 records.

Why

Theft of an unencrypted laptop from a home address of an employee of a hired data processor.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all data processors contracted on the data controllers behalf comply with the principles of the Act and in particular that all potable media devices are sufficiently encrypted.

Reason for action

The data controller did not have an appropriate contract in place with the data processor which stipulated the need to encrypt devices containing personal data.

When

28 October 2011.

Links

View PDF of the Newcastle Youth Offending Team Undertaking (Via ICO Website)

View PDF of the Newcastle Youth Offending Team Undertaking (Breach Watch Archive)