Tag Archives: Inappropriate Disclosure of Personal Information

The Children’s Mutual

Posted on by

What

Loss of sensitive personal information.

How much

One record.

Why

An annual account statement was accidently sent to an incorrect address.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff with access to personal data are made aware of policies regarding its storage and use and that regular reports shall be run in order to identify any address mismatches.

Reason for action

Enquiries revealed that the data controller had not implemented adequate reporting procedures to identify these sorts of discrepancies.

When

19 August 2010

Links

View PDF of the Children’s Mutual Undertaking (Via ICO Website)

View PDF of the Children’s Mutual Undertaking (Breach Watch Archive)

The University of Manchester

Posted on by

What
Loss of sensitive personal data.

How much
About 2,300 records.

Why
A computerised spreadsheet containing the personal data of some 1,755 was published when it was accidently sent as an attachment of an email by a member of the University staff and forwarded to some 469 students..

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. Policies on the transfer, sharing and publication of personal data must me made clear and all staff must receive adequate training in order to fulfil their obligations under such policies.

Reason for action
The data controller did not on this occasion ensure that adequate measures were taken to prevent the inappropriate internal transfer of the information.

When
15 April 2009

Links
View PDF of the University of Manchester Undertaking (Breach Watch Archive)

Norwich Union Life

Posted on by

What

  • Disclosure of personal information to fraudsters.
  • Fraudulent policy surrender

How much

  • 632 records
  • 74 records

Why

Telephone based fraudsters used publically available information (name, DoB etc) to impersonate customers and gain access to accounts.

Regulator

FSA

Regulatory action

Monetary penalty – £1,260,000

Reason for action

Aware of threat but took inadequate countermeasures except in case of Aviva group directors.

When

17 December 2007

Links

View the press release relating to Norwich Union Life on the FSA website

View PDF of the Norwich Union Life Final Notice (via FSA website)

View PDF of the Norwich Union Life Final Notice (Breachwatch archive)

The Department of Health

Posted on by

What
Inappropriate processing of personal data

How much
Unknown.

Why
The personal details of junior doctors held on the Medical Training Application Service (MTAS) website was readily accessible to any person accessing the website.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that sensitive personal data held on the website must be encrypted. Instructions and advice as to the use of passwords and PIN numbers be given to the data controller to those entitled to access the site. Staff will be given appropriate training and regular penetration and vulnerability testing of developing applications and systems to minimise unauthorised access.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
4 December 2007

Links
View PDF of the Department of Health Undertaking (Breach Watch Archive)

Orange Personal Communications Services Limited

Posted on by

What
Loss of personal data

How much
A number of records.

Why
Members of staff who had recently commenced working for the company were allowed to share user names and passwords to access company computer systems holding the personal data of Orange customers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the sharing of user names and passwords by Customer Service Representatives, to access computer systems, shall not be allowed under any circumstances.

Reason for action
The ICO had received a complaint about the sharing of user names and passwords by Customer Service Representatives.

When
23 May 2007

Links
View PDF of the Orange Personal Communications Services Limited Undertaking (Breach Watch Archive)