Treasury Solicitor’s Department

Breach details

What Disclosure of personal data.
How much 4 records.
When 06 February 2012, 24 August 2012, 30 August 2012 and 3 January 2013.
Why Three of these breaches involved case files containing un-redacted third party personal information to a claimant’s solicitor and the claimant themself. The fourth breach involved the sending of a case of papers relating to an unfair dismissal claim to an individual, although the papers contained personal information relating to another individual’s claim. All four of these breaches were self-reported. The Solicitor’s Department have some measures in place to safeguard personal data but there are gaps which are preventing further compliance.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 26 February 2014.
Details The Solicitor’s Department is to implement a clear, documented procedure for the preparation of information for disclosure within six months, as well as creating a structured, formal procedure concerning communication requirements between Junior and Senior lawyers carrying out the disclosure process. Mandatory training about the requirements of the Act is also to be given to all staff.

Royal Borough of Windsor & Maidenhead

Breach details

What Personal data disclosed on the council’s intranet in error.
How much 257 records.
When January 2013.
Why A spreadsheet containing details of individuals who had not signed a new employment contract was wrongly appended to a review document for general access on the intranet, rather than being added separately as a restricted item. The ICO investigation revealed that data protection and information security training for those with access to personal data had not been mandatory and that the policies on handling personal data were incomplete.

Regulatory action

ActionUndertaking to comply with the seventh data protection principle.

Regulator ICO
When 26 November 2013.
Details The Council will review and revise its data protection policies and ensure existing staff have appropriate training by 31 December 2013. All new staff whose roles involve access to personal data will receive training as soon as they begin their employment at the Council. Compliance with these policies and the training will be regularly monitored and enforced.

Ministry of Justice

Breach details

What Emails containing sensitive personal data concerning prison inmates accidentally sent to members of the public. This information included coded offences, addresses, identifying physical characteristics and location within the prison.
How much Three emails containing the details of 1,182 prisoners.
When 04 July, 11 July and 01 August 2011.
Why Each day HMP Cardiff manually transfers prisoner details from their network system Quantum onto a biometrics database in order to facilitate visits and other prisoner movements. The data is copied and pasted through Windows Explorer and thus can remain on the clipboard of Quantum. On 01 August the prisoner details were accidentally attached to an email to a member of the public booking a visit to a family member in HMP Cardiff. The individual reported this incident the next day and it was only at this point that the previous two emails came to light as they had not been reported by their recipients or noticed by the prison. Each email was sent by the same recently appointed booking clerk. Shortly after the breach was reported each recipient confirmed in writing that the data had not been disseminated further and was fully deleted; physical access was allowed to confirm this for two of the recipients and the other had already double-deleted the message and attachment.

Regulatory action

Regulator ICO
Action Monetary penalty of £140,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: there should have been a more secure method of carrying out routine transfers of high volumes of personal data. More effective training and supervision should also have been provided, along with clear written procedures for the data transfers.

The monetary penalty notice has been imposed to promote compliance with the Act and standardisation across the prison service to prevent similar incidents occurring elsewhere.

Known or should have known As the Ministry of Justice routinely handles sensitive personal information and carries out high volume daily data transfers it should have been obvious that a breach could result in substantial distress and that there was a potential for human error in the absence of technical measures, written guidelines and appropriate training.
Likely to cause damage or distress The coded offences were deemed by the Commissioner to be particularly likely to cause damage or disress as almost all of the coded offences are easily recognisable. Fortunately the emails were only sent to one person on each occasion but had the data got into the wrong hands, such as an inmate’s rival, it would have raised the level of distress. The Prison decided not to disclose the breach to the prisoners as those at risk of self-harm might have suffered additional anxiety, confirming that some prisoners would suffer greater distress than others.

Luton Borough Council

Breach details

What Personal data including information on the health and ethnicity of the data subjects.
How much Two cases.
When December 2012 and January 2013.
Why Two separate incidents involved incorrect handling of personal data by social work staff. In the first case an email containing personal information about a family was sent across an unsecured internet connection and also sent to an agency unconnected to the family. In the second case papers were lost in an accident when a member of staff took them home when leaving work early due to severe weather.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 11 September 2013.
Details Staff are to be trained in how to follow the Council’s procedures for the storage and use of personal data by 30 November 2013. Training is also required before staff are granted access to the Council’s sytems and should be refreshed within two years. In addition to training new procedures covering such issues as the transporting of personal data outside of the office must be drafted by 30 November.

Aberdeen City Council

Breach details

What Four documents containing sensitive personal information were accidentally uploaded to the internet by a member of staff working from home. The data includes names and addresses, dates of birth, details of alleged criminal offences, and information about Social Care cases concerning children.
How much Four documents totalling 39 pages.
When 8 November 2011 to 18 February 2012.
Why A Council employee inadvertently downloaded four sensitive documents onto her PC when accessing them from home (either by email or by USB) between 8 November and 12 November 2011. These were then uploaded to a website by an auto-upload program pre-installed on the computer thereby making the data available to the public. The documents were discovered on 15th February 2012 and were removed (along with all cached versions) within four hours. However, on 18th February a national newspaper published a story on this incident although personal data was not included after a discussion with the Council.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000.
When 27 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council failed to introduce a secure home working policy or provide the training and equipment to make the home a secure place to work.
Known or should have known The Council was clearly aware that there were inherent risks with staff accessing sensitive personal data at home as it had an acceptable use policy. However, the Council did not supply the necessary equipment to make homes secure places to work from.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. The data is particularly sensitive as it identifies vulnerable individuals.There is also the risk that the information may have been further disseminated and misused.

Northern Health and Social Care Trust

Breach details

What Personal data including information on physical or mental health.
How much An unknown number of incidents including the faxing of confidential service user information to the wrong recipient and the inappropriate disclosure of personal data to professionals working with the Trust.
When An unknown period, dating to at least May 2011.
Why A number of security incidents led to the Commissioner’s investigation into the Trust. It was discovered that most of the staff involved in these incidents had not received the supposedly mandatory Information Governance training, and the Trust failed to monitor and enforce staff completion of training. This led to staff being unaware of Information Governance policies.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 13 August 2013.
Details From the date of this undertaking staff are to be made aware of policies regarding the storage and use of personal data and are given appropriate training in this and in dealing with security breaches. Measures should be put in place to ensure that staff attend all mandatory training. In addition, portable devices used to store personal data must be encrypted.

Bank of Scotland

Breach details

What Personal information including national insurance numbers, bank details, and photocopies of passports and driving licenses was faxed to a number of incorrect recipients.
How much An unknown number of records.
When February 2009 to February 2013.
Why During this four year period a number of faxes containing personal information were sent to incorrect recipients rather than the bank’s certal processing systems. These breaches occurred on different faxes in different locations, and were made by a large number of staff from different branches. This was due to misdialling and in particular the transposition of the numbers 2 and 8. Although the employees concerned were given training on this issue and a communication was sent alerting all members of staff to the issue of misdialling, this particular error was not raised.

BW Comments

The ICO has on many occasions indicated his dislike of faxing, especially if the errors occurred because of manual misdialling which could be rectified by only allowing pre-programmed numbers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 75,000.
When 30 July 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the bank failed to provide adequate training or to find a more secure means for the transmission of personal information.
Known or should have known The bank was aware that there were risks associated with sending information by fax as it had procedures in place to regulate this and instituted some training on the discovery of the first breach. However, the continuation of these breaches is testimony to the inefficacy of the taken measures.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. It also carries the risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

This is the third breach where a regulated firm where the FCA (FSA) has not taken action and has let the ICO take the lead in respect of a breach of personal data.

Janet Thomas

Breach details

What Personal data and sensitive personal data included in CVs.
How much 7,435 records.
When 11 April 2012.
Why CV documents were being stored unprotected on the website www.janetpage.com, in an area that was intended to be a secure portal for prospective employers. However, any member of the public could access and download these documents which included information about candidates’ ethnicity, religion, and sexuality.

BW Comments

A reminder that unless you work very hard, documents on a website are very easily accessible.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 16 July 2013.
Details The company shall implement and monitor technical security measures on its website to protect personal data. This data should only be collected when necessary. Staff should also receive data protection training.

BW Observations

Given the background to the ACS Law MPN it is perhaps surprising that an obviously poorly-configured and amateur website containing (sensitive) personal data didn’t receive more than an undertaking from the commissioner. However as a jobseeker typically wants their CV circulated as widely as possible it would be hard for the ICO to establish that the breach of CVs from such a site was likely to cause the Data Subjects damage or distress.

Central Bedfordshire Council

Breach details

What Sensitive personal data incorrectly made available on a planning portal
How much Two records. This included birth details, private telephone numbers and personal medical information in one case, and physical and mental health details in the other.
When Unknown.
Why An individual’s personal information was made publicly available via a planning portal on the Council’s website. This occurred after documents were given the wrong planning reference number and then placed in an open access, rather than secure, folder. As a result personal information was not deleted from the documents prior to them being posted. In addition to this incident, a record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 18 September 2012.
Details The Council were to ensure that staff were aware of the correct procedures for preparing planning application documentation, to be given appropriate training, and that the procedures were followed. The social care database was also to contain a completely cleansed dataset by 31 March 2013. Finally, appropriate security measures were to be implemented to protect personal data.

BW Observations

Although the undertaking was ‘signed’ on 18 September 2012, it was only published by the ICO on 12 June 2013. This is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

North Staffordshire Combined Healthcare NHS Trust

Breach details

What Sensitive personal data (medical) faxed to an incorrect recipient.
How much 3 records.
When August and September 2011
Why Three faxes containing just about every category of sensitive personal data were sent to the wrong recipient. This breach of confidentiality occurred despite the trust having both a secure fax environment and appropriate procedures in place which included call-ahead and a requirement to use pre-programmed destinations. The breach occurred because members of staff were unfamiliar with the policy, so didn’t call ahead and manually dialled the (wrong) recipient’s number.

Regulatory action

Regulator ICO
Action Monetary penalty of £55,000
When 11 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the trust had insufficient management controls and did not provide the appropriate training for the staff.
Known or should have known The trust was aware that there was risks sending information by fax because it had introduced the safe haven and best practice. It should have known that the best practice guidelines needed to be backed up by training and management controls.
Likely to cause damage or distress The Commissioner’s usual argument that the data subjects, some of who were vulnerable adults, may have suffered distress knowing that their medical data had been read by an unauthorised third party.