Kent Police

Breach details

What Highly sensitive and confidential information, including copies of police interview tapes, were left in the basement of a former police station, which had been sold in September 2012. This was discovered after a police officer visited some business premises on an entirely separate matter, and noticed a box of videotapes with the logo and name of Kent Police. The owner confirmed that he had found the videotapes and was intending to view the contents of the videotapes as a possible source of entertainment
How much Numerous records dating as far back as the late 1980s.
When 28 November 2012.
Why In the absence of any specific policies or procedures, it was unclear who was ultimately responsible for ensuring that the former police station was vacant at the point of sale. This lack of documented procedures was made worse by a failures in communication between the different departments involved in the extended process of decommissioning the building.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000
When 19 March 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Kent Police failed to take appropriate organisational measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as having specific procedures in place to ensure that the basement of the former police station had been cleared of all items before it was sold to a buyer.
Known or should have known  The data controller was used to dealing with such information and had taken some steps to safeguard the information by carrying out inspections of the former police station, even though the steps taken proved to be inadequate.
Likely to cause damage or distress The failure to take appropriate organisational measures was likely to cause substantial distress to the data subjects even if this is simply by knowing that their confidential and sensitive personal data could have been accessed by the buyer who had no right to see that information. Furthermore there was a risk that the  data may be further disseminated, such as to the media, or used for other purposes by the buyer, with the potential to cause substantial damage to witnesses and informants, such as by putting them at risk of physical harm.

Department of Justice Northern Ireland

Breach details

What A locked filing cabinet containing sensitive personal data relating to claims arising from terrorist incidents in Northern Ireland was sold at auction.
How much Not specified – four-drawer filing cabinet.
When 12 May 2012
Why In the course of an office move the filing cabinet was sent to auction for disposal. Despite it being locked (and the weight of the cabinet must have indicated that it wasn’t empty) the Data Controller simply ignored the fact that there may have been personal data in the filing cabinet and set it to auction. When the purchaser of the cabinet forced the lock they realised the sensitivity of the information and called the police to take the information away.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 185,000.
When 14 Jan 2014.

Why the regulator acted

Breach of act Breach of the seventh data protection principle. The Commissioner argued that the Data Controller should have had “detailed procedures in place for the removal of cupboards, pedestals and filing cabinets etc. from one office location to another”.
Known or should have known Given the sensitive political nature of the contents of the cabinet, and the fact that the cabinet was kept locked, the Data Controller should have known that the unauthorised release of the information was likely to case “substantial distress”.
Likely to cause damage or distress The Commissioner states that substantial distress was not actually caused in this case, but argues that had the buyer of the cabinet not contacted the police to remove the data, substantial distress would have occurred.

Google Inc

Breach details

What Personal data not destroyed.
How much 5 disks containing an unknown number of records.
When February 2012
Why In May 2010 it was discovered that Street View vehicles had mistakenly collected payload data for thousands of individuals. This was deleted in November 2010. In February 2012 four disks were discovered to have been accidentally retained, and in October 2012 a fifth disk was discovered (although this may contain some data not collected in the UK).

Regulatory action

Regulator ICO
Action Enforcement Notice Issued to Google Inc
When 11th June 2013
Details Enforcement notice issued to ensure that all personal data held on vehicle disks and collected in the UK using Street View vehicles shall be destroyed with 35 days. Any disks discovered in the future holding personal data collected in the UK should be reported to the Information Commissioner.

NHS Surrey

Breach details

What Loss of personal data and sensitive personal data.
How much Approximately 1,570 hard drives. An unspecified number of records.
When 08 March 2010 – 02 July 2012
Why Between 08 March 2010 and 28 May 2012 hard drives containing sensitive personal data were collected for destruction and disposal by a company claiming to specialise in IT disposal. On 29 May 2012 it was found that PCs containing these hard drives were being sold by a third party company via an online auction site. So far ten of the supposedly destroyed hard drives have been reclaimed. The data controller has been unable to trace the destinations of the remaining PCs.

BW Comments

Disposal of drives is a recurring topic for information security professionals and the Commissioner. As it is easy to select a company with independent certification it really is unbelievable that organisations continue to contract with random companies that claim to offer destruction services. This MPN should also act as a reminder that a ‘certificate of destruction’ is just a piece of paper – there’s no substitute for watching your old hard drives being put through an industrial shredder.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 18 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: NHS Surrey failed to ensure the physical destruction of personal data stored on its hard drives. No proper risk assessment of the data processor was taken; there was no written contract with the data processor requiring the company to comply with regulations; and NHS Surrey did not take appropriate steps to ensure complaince with the regulations.
Known or should have known NHS Surrey was used to dealing with confidential and personal data on a daily basis and should have known that there was a risk that contravention could occur unless reasonable steps were taken, particularly as some of the ‘Data Devices Destroyed’ certificates issued before January 2011 stated that the hard drives had been ‘wiped/destroyed/recycled’. This project should have been afforded the highest level of security.
Likely to cause damage or distress Data subjects are likely to have suffered substantial distress knowing that their personal data has been retrieved by a member of the public and might have been offered for sale to unauthorised third parties. They could also be concerned that their data might be further disseminated.

BW Observations

This case is very similar to the Brighton and Sussex University Hospitals NHS Trust case, although here NHS Surrey moved quickly to rectify the problem and didn’t compound the problem by its own actions. In the MPN the ICO made an indirect reference to the Brighton and Sussex case but levied only 60% of the penalty (£200K vs £325K) on NHS Surrey for losing a around 60% more disks (1,570 vs 1,000).

Bedford Borough Council

Breach details

What Sensitive personal data including the mental and physical health of the data subjects held in a social care database.
How much One record.
When Unknown.
Why A record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

BW Comments

This is closely linked to the undertaking signed by Central Bedfordshire Council.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 10 September 2012
Details The social care database was to be completely cleansed of unnecessary data from the previous local authority by 31 March 2013, and security measures were to be implemented to protect personal data.

BW Observations

As with the Central Bedfordshire Council undertaking there is no explanation provided by the Commissioner about the delay in publishing this undertaking although this is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

Personnel files found in Llandudno skip

What
Loss of sensitive personal data

How much
Unknown.

Why

Personnel files from a nightclub were found blowing out of a skip. A member of the public gave two sample files to the Daily Post. The files included phone numbers, addresses, National Insurance numbers, copies of riving licences with a photocopied photograph and an email address.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

Scottish Borders Council

Breach details

What Loss of sensitive personal data.
How much 676 records.
When 10 September 2011
Why A member of the public noticed that a paper recycling bank had been overfilled with discarded files that contained personal information. Investigation showed that eight boxes containing 676 files had been deposited in the recycling bank by a data processor working for the council.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000£ 0
Overturned on appeal to the Information Rights Tribunal
When 11 September 2012

Why the regulator acted

Breach of act There was no contract in place between the data controller and the data processor. Documents scanned for the data controller by the data processor should have been disposed of securely, or returned in person.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees, including financial data and details of a pension scheme. The seriousness of such data should have been self evident.
Likely to cause damage or distress Financial and Medical data. The arrangement had been in place since 2005 and approximately 9000 pension records would have been processed and possibly incorrectly disposed of.

Appeal

The MPN was overturned on appeal to the Information Tribunal.
View PDF of the Scottish Borders Council Appeal (Information Tribunal)

Marston Properties

What
Loss of personal data

How much
37 records.

Why
37 staff members’ details were lost when the filing cabinet the information was stored in was sent to a recycling centre and crushed.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

Reason for action
The data controller had established procedures, but did not have a specific written information handling policy in place and employees had not received formal data protection training.

When
6 August 2012

Links
View PDF of the Marston Properties Undertaking (Via ICO Website)

View PDF of the Marston Properties Undertaking (Breach Watch Archive)

Brighton and Sussex University Hospitals NHS Trust

Breach details

What Loss of sensitive personal information.
How much 79,000 records.
When March 2008
Why Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 325,000
When 1 June 2012

Why the regulator acted

Breach of act Failure to select a data processor able to provide gurantees of technical security – loss of hard drives.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress Medical Data of Patients.

Norwich City College of Further and Higher Education

What

Loss of sensitive personal information on two occasions.

How much

80 records.

Why

Hard copy records were disposed of inappropriately and insecurely.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

The records were disposed of in standard black bin liners and were thrown into a skip on college grounds by cleaning staff, the same as any other waste.

When

19 April 2011.

Links

View PDF of the Norwich City College of Further and Higher Education Undertaking (Via ICO Website)

View PDF of the Norwich City College of Further and Higher Education Undertaking (Breach Watch Archive)