Craven District Council

What

Loss of personal data.

How much

2,300 records.

Why

An unencrypted laptop containing a database with child swimming lessons was stolen from a ground level office at a swimming pool.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted. These devices must be secured when not in use.

Reason for action

Despite several security devices and the rapid arrival of police officers the thief was able to remove the laptop and escape, as the laptop was left unsecured on a desk in a position where it could be seen from outside the office.

When

10 February 2012.

Links

View PDF of the Craven District Council Undertaking (Via ICO Website)

View PDF of the Craven District Council Undertaking (Breach Watch Archive)

Manpower UK Ltd

What

Inappropriate disclosure of personal data.

How much

400 records.

Why

A spreadsheet containing 400 people’s personal details was accidentally email to 60 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of policies regarding the transmission of personal data via email, included the need to password protect or encrypt the data according to the sensitivity of the data and the risk to the data subjects.

Reason for action

The employee had initially believed that the spreadsheet contained only the employee numbers of those 60 staff. However the data was transmitted unsecured over the internet and it could not be confirmed that all recipients had deleted the email as requested

When

20 January 2012.

Links

View PDF of the Manpower UK Ltd Undertaking (Via ICO Website)

View PDF of the Manpower UK Ltd Undertaking (Breach Watch Archive)

Central Essex Community Services

What

Loss of sensitive personal data.

How much

249 records.

Why

Loss of a birth book from a locked storage room.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient physical security measures are in place for the storage of paper medical records and compliance with these measures are monitored.

Reason for action

The birth book was supposed to be locked in a filing cabinet in accordance with the data controller’s policy, but it was stored on top of the cabinet due to a lack of storage space.

When

21 November 2011.

Links

View PDF of the Central Essex Community Services Undertaking (Via ICO Website)

View PDF of the Central Essex Community Services Undertaking (Breach Watch Archive)

Holly Park School

What

Loss of sensitive personal data.

How much

Nine records.

Why

Theft of an unencrypted laptop from school premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are encrypted and are kept physically secure.

Reason for action

Although the laptop was kept in a locked filling cabinet the office it was housed in was not locked.

When

05 October 2011.

Links

View PDF of the Holly Park School Undertaking (Via ICO Website)

View PDF of the Holly Park School Undertaking (Breach Watch Archive)

Dartford and Gravesham NHS Trust

What

Accidental destruction of achieved records containing sensitive personal data.

How much

10,000 records.

Why

Records accidently placed in a disposal room.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is physically secure against destruction.

Reason for action

Due to a lack of space in achieves, records were placed in a disposal room and accidently disposed of.

When

04 October 2011.

Links

View PDF of the Dartford and Gravesham NHS Trust Undertaking (Via ICO Undertaking)

View PDF of the Dartford and Gravesham NHS Trust Undertaking (Breach Watch Archive)

Poole Hospital NHS Trust

What

Loss of sensitive personal data.

How much

240 records.

Why

Theft of two diaries stolen from a nurses’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is kept physically secure both at home and in the work place and that personal data is kept to the minimum required and anonymised where possible.

Reason for action

The diaries contained information the nurse might need off hours, but were kept, unsecured, in her car outside her home.

When

04 October 2011.

Links

View PDF of the Poole Hospital NHS Trust Undertaking (Via ICO Website)

View PDF of the Poole Hospital NHS Trust Undertaking (Breach Watch Archive)

HCA international Limited

What

Loss of sensitive personal data.

How much

Unknown.

Why

Theft of an unencrypted laptop from one of the group’s hospitals.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient standard encryption is used and physical security is upgraded.

Reason for action

  • Laptop containing the data was unencrypted.
  • Physical security of the laptop was deemed insufficient to prevent theft.

When

05 August 2011.

Links

View PDF of the HCA International Limited Undertaking (Via ICO Website)

View PDF of the HCA International Limited Undertaking (Breach Watch Archive)

Northamptonshire Healthcare NHS Foundation Trust

What

Loss of sensitive personal data on two occasions.

How much

One record.

Why

A patient’s records had not been indexed.

Regulator

ICO

Regulatory action

Undertaking issued to ensure sufficient measures are put into place for the storage and security of physical records.

Reason for action

Not all records held by the data controller were indexed.

When

18 July 2011.

Links

View PDF of the Northamptonshire Healthcare NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the Northamptonshire Healthcare NHS Foundation Trust Undertaking (Breach Watch Archive)

Ms Raisa Saley, barrister at law

What

Loss of sensitive personal data.

How much

“Considerable”

Why

Loss of a bundle of legal papers while commuting by train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that personal data would not be taken off site unless strictly necessary and that records are kept secure.

Reason for action

The records were taken off-site in an unlocked suitcase, which was then lost.

When

05 July 2011.

Links

View PDF of the Ms Raisa Saley Undertaking (Via ICO Website)

View PDF of the Ms Raisa Saley Undertaking (Breach Watch Archive)

Cherubs Community Playgroup

What

Loss of sensitive personal data.

How much

47 records.

Why

Theft of an unencrypted laptop from the premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops containing sensitive personal information are encrypted and sufficient physical security measures are implemented.

Reason for action

The playgroup’s premises were located in a publically used building and security measures were only implemented during playgroup hours.

When

28 June 2011.

Links

View PDF of the Cherubs Community Playgroup Undertaking (Via ICO Website)

View PDF of the Cherubs Community Playgroup Undertaking (Breach Watch Archive)