Kent Police

Breach details

What Highly sensitive and confidential information, including copies of police interview tapes, were left in the basement of a former police station, which had been sold in September 2012. This was discovered after a police officer visited some business premises on an entirely separate matter, and noticed a box of videotapes with the logo and name of Kent Police. The owner confirmed that he had found the videotapes and was intending to view the contents of the videotapes as a possible source of entertainment
How much Numerous records dating as far back as the late 1980s.
When 28 November 2012.
Why In the absence of any specific policies or procedures, it was unclear who was ultimately responsible for ensuring that the former police station was vacant at the point of sale. This lack of documented procedures was made worse by a failures in communication between the different departments involved in the extended process of decommissioning the building.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000
When 19 March 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Kent Police failed to take appropriate organisational measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as having specific procedures in place to ensure that the basement of the former police station had been cleared of all items before it was sold to a buyer.
Known or should have known  The data controller was used to dealing with such information and had taken some steps to safeguard the information by carrying out inspections of the former police station, even though the steps taken proved to be inadequate.
Likely to cause damage or distress The failure to take appropriate organisational measures was likely to cause substantial distress to the data subjects even if this is simply by knowing that their confidential and sensitive personal data could have been accessed by the buyer who had no right to see that information. Furthermore there was a risk that the  data may be further disseminated, such as to the media, or used for other purposes by the buyer, with the potential to cause substantial damage to witnesses and informants, such as by putting them at risk of physical harm.

Panasonic UK

Breach details

What Theft of an unencrypted laptop containing personal data including names, passport details, addresses and contact details.
How much 970 records.
When 08 August 2012.
Why An unencrypted, unsecured laptop containing the details of 970 individuals who had attended hospitality events organised by Panasonic UK was stolen from an unlocked hotel room. These events were being run by a third party company on behalf of Panasonic, and Panasonic’s comprehensive data protection policies that would have prevented this breach were therefore not automatically applied. However, it appears that these policies were not communicated to the company and the data protection provisions listed in the contract were extremely limited. Moreover, passport information was collected from all guests and then retained regardless of whether this information was necessary.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When Unknown.
Details Panasonic UK is to ensure that all third party company data controllers are governed by adequate contracts and checks to ensure that they are complying with data protection policies. Panasonic are also to ensure that personal data is only collected for a specified, valid purpose and is not retained for longer than is necessary. Other security measures should be implemented as appropriate.

Glasgow City Council

Breach details

What Two unencrypted laptops containing substantial amounts of personal data were stolen from offices undergoing refurbishment.
How much An unknown number of records.
When Unknown
Why An earlier enforcement notice was issued in 2010. Since then, previous thefts had occurred from the Council’s offices and physical security had not been improved. In addition, unencrypted laptops were still being issued and over 70 unencrypted laptops were unaccounted for.

BW Comments

A Monetary Penalty Notice was issued to Glasgow in respect of this breach but the quality of IT asset management at the Council was obviously so poor that the ICO felt it needed to issue an enforcement notice as well.

Regulatory action

Regulator ICO
Action Enforcement Notice
When 04 June 2013
Details Enforcement Notice issued to ensure that asset management is improved. A full audit of existing IT assets relating to personal information must be undertaken by 30 June 2013, along with asset management training for managers and reissuing information security guidelines to staff. A new asset register must be completed by 31 July 2013 and updated on a yearly basis.

BW Observations

Interestingly the enforcement notice didn’t re-enforce the 2010 instruction to encrypt laptops.

Stockport Primary Care Trust

Breach details

What Patient identifiable data was left in a decommissioned building.
How much About 1000 records, including 200 containing highly sensitive personal data.
When 2010-2011
Why Boxes of paper records were left in a decommissioned building, in full view of prospective purchasers of the building. The eventual purchaser opened the boxes and discovered the information, some relating to people known by the purchaser.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against the accidental loss of 1,000 documents, some of them containing sensitive personal data.
Known or should have known The NHS trust was used to handling sensitive personal data and would have known such information was stored on the site but did not take ‘reasonable steps’ to safeguard the data such has having a decommissioning policy.
Likely to cause damage or distress There was the potential for substantial distress as data subjects would know that their sensitive personal data had been accessed by an unauthorised party and that the data might be further disseminated. This was exacerbated as some data subjects were known to the data controller.

Enfield Council: Confidential Files Found in Disused Building

What
Loss of sensitive personal data

How much
Unknown.

Why
Confidential social services files were found in an abandoned Enfield town hall currently in use as a film set. The files were labelled “Foster panel minutes” and “Adoption files”, and marked “strictly private and confidential”. They included details of parents turned down for adoption, the phone numbers and addresses of vulnerable people on the service’s register, and financial information.

Regulator
None to date.

Regulatory action
None to date.

Reason for action
None to date.

When
October 2012

Links

Belfast Health and Social Care Trust

Breach details

What Loss of sensitive personal data.
How much About 10,000 records.
When May 2010
Why Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 225,000
When 19 June 2012

Why the regulator acted

Breach of act Site was insufficiently secure to prevent intrusion.
Inappropriate organisational and technical measures.
Known or should have known The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.
Likely to cause damage or distress Medical records and financial data of employees.

Brighton and Sussex University Hospitals NHS Trust

Breach details

What Loss of sensitive personal information.
How much 79,000 records.
When March 2008
Why Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 325,000
When 1 June 2012

Why the regulator acted

Breach of act Failure to select a data processor able to provide gurantees of technical security – loss of hard drives.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress Medical Data of Patients.

Pharmacyrepublic Ltd

What

Loss of sensitive personal data.

How much

Approximately 2,000 records.

Why

Theft of a patient medication record system.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate procedures are put in place to ensure that PMR pharmacy data is securely handled prior to any future transfer of pharmacy ownership. All staff must be made aware of the data controller’s procedures for the safe storage and retrieval of personal data.

Reason for action

The PMR system was stolen for the pharmacy while it was undergoing a transfer of ownership. Although the PMR was password protected the data controller had not taken adequate steps to safely retrieve the PMR system and return it to the wholesale company, whom they had been paying a monthly retainer to, prior to the transfer of ownership process.

When

27 Mar 2012

Links

View PDF of the Pharmacyrepublic Ltd Undertaking (Via ICO Website)

View PDF of the Pharmacyrepublic Ltd Undertaking (Breach Watch Archive)

London Borough of Barnet

Breach details

What Loss of sensitive personal information.
How much 15 records.
When 23 April 2011
Why Paper records relating to vulnerable children were stolen from a social worker’s home. Although it was accepted that the paper records needed to be taken home and that there was a policy in place to cover it, it was felt that the policy did not address the risk identified by this security breach.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 15 May 2012

Why the regulator acted

Breach of act Loss of paper records.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitive nature of the data they dealt with and that it was often necessary for paper records to be taken out of the office.
Likely to cause damage or distress Data relating to child exploitation.

Community Integrated Care

What

Loss of personal and sensitive personal data.

How much

40 records.

Why

Theft of an unencrypted laptop from a locked ground floor office in the Newcastle area.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile devices including laptops are encrypted to a sufficient standard. Physical security standards must be adequate to prevent unauthorised access to personal data.

Reason for action

The stolen laptop was password protected, but had not been encrypted, However the data controller proposed to improve physical software and implement encryption as a result of the incident.

When

01 March 2012.

Links

View PDF of the Community Integrated Care Undertaking (Via ICO Website)

View PDF of the Community Integrated Care Undertaking (Breach Watch Archive)