Surrey Council

Breach details

What Loss of sensitive personal information on three occasions.
How much 241 records.
When May – June 2010
Why Records were accidently sent out in an email copied to a global distribution list, minutes of a confidential strategy discussion erroneously emailed to a newsletter distribution group. Additional records were erroneously emailed to an incorrect internal email group.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
When 9 June 2011

Why the regulator acted

Breach of act Emails were unencrypted and sent to the wrong recipients.
Inappropriate organisational and technical measures.
Known or should have known The risk of incorrect drop down boxes being selected were “self evident”.
Likely to cause damage or distress Records related to special needs.

Gwent Police

What

Loss of sensitive personal information.

How much

863 records.

Why

An email containing a spreadsheet intended for 5 police colleagues was accidently forwarded to a website journalist.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The auto-complete function of the email suggested the email address of the journalist and this error was not corrected. Moreover the member of staff was found to have previously displayed a “cavalier” attitude to IT security policies.

When

11 February 2011.

Links

View PDF of the Gwent Police Undertaking (Via ICO Website)

View PDF of the Gwent Police Undertaking (Breach Watch Archive)

Basingstoke and North Hampshire NHS Trust

What
Unnecessarily sharing of sensitive personal data

How much
917 records

Why
An excessive amount of data was emailed to another Trust partner via a non-secure email account

Regulator
ICO

Regulatory action
Undertaking issued to ensure that staff are given sufficient training and that only the minimum data for the intended purpose is extracted or transferred.

Reason for action
The spreadsheet containing the records was not passport protected and the department had no “business need” to have access to the clinical data.

When
15 June 2010

Links
View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Via ICO Website)

View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Breach Watch Archive)

Redstone Mortgages Ltd

What
Loss of personal data.

How much
15,333 records.

Why
15,333 mortgage records were emailed to a member of the public by accident.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all reports containing personal data are suitably password protected and that this provision in entered into any contracts between the data controller and any data processors acting on its behalf.

Reason for action
The data was being transmitted to the data controller’s head office and several other recipients as part of a monthly analysis report. One of the recipients used an email address that was similar to a member of the public’s, which was mistakenly entered. The data was not encrypted or password protected.

When
19 February 2010

Links
View PDF of the Redstone Mortgages Ltd Undertaking (Breach Watch Archive)