Aramark Ltd.

What

Loss of personal information.

How much

109 records.

Why

Paperwork and an unencrypted laptop were stolen in-transit.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and are only taken off site when absolutely necessary.

Reason for action

Although the laptop was password protected, this was insufficient security, given the sensitive nature of the data it contained

When

24 February 2011.

Links

View PDF of the Aramark Ltd. Undertaking (Via ICO Website)

View PDF of the Aramark Ltd. Undertaking (Breach Watch Archive)

Ms Phillimore, a barrister

What

Loss of sensitive personal information.

How much

“A sizeable quantity”

Why

Theft of two hard copy folders of case files from her car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that appropriate physical security measures are taken to protect physical data – in particular data must not be left outside the chambers overnight.

Reason for action

The data should never have been disposed of in a skip. The data controller had a written contract with a third party for the disposal of confidential waste, but on this occasion there was confusion as to the confidential nature of the waste.

When

23 March 2011.

Links

View PDF of Ms Phillimore’s Undertaking (Via ICO Website)

View PDF of Ms Phillimore’s Undertaking (Breach Watch Archive)

Healthcare Locums PLC (HCL)

What

Loss of personal information .

How much

Unknown.

Why

A Network Storage device containing records relating to doctors employed by the data controller was lost or stolen in transit during a move and was sold on eBay. It was eventually recovered.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that contracts are put in place between the Data controller and any contractors it uses to process personal data on its behalf, who must be sufficiently checked. Sufficient physical security measures must be implemented and records of data contained on physical media must be kept.

Reason for action

Neither the network storage device or the personal data contained within it were encrypted. No inventory of equipment being transported was taken and therefore the loss/theft of the device went unnoticed until the eBay buyer contacted the Data controller.

When

14 October 2010

Links

View PDF of the Healthcare Locums PLC Undertaking (Via ICO Website)

View PDF of the Healthcare Locums PLC Undertaking (Breach Watch Archive)

Forth Valley NHS Board

What

Loss of sensitive personal information.

How much

Unknown.

Why

An unencrypted and non-password protected memory stick containing sensitive personal data was handing in to a newspaper.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any board issued portable media devices are sufficiently encrypted and that sufficient physical security measures are taken.

Reason for action

It was unclear how the memory stick ended up in the possession of the Newspaper, but it was unencrypted and not password protected.

When

30 September 2010

Links

View PDF of the Forth Valley NHS Board Undertaking (Via ICO Website)

View PDF of the Forth Valley NHS Board Undertaking (Breach Watch Archive)

Birmingham Children’s Hospital NHS Foundation Trust

What

Loss of sensitive personal information.

How much

17 records.

Why

Theft of two unencrypted laptops from the Medical Day Centre.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that additional measures are put to in place to ensure that data security policies are adhered to consistently. Any portable media must be suitably encrypted, or, if this is impossible due to the functions required, physical security must compensate for the additional risk.

Reason for action

This event followed a previously self reported security breach. The laptops were unencrypted and insufficiently secure.

When

14 July 2010

Links

Birmingham Children’s Hospital NHS Foundation Trust (Via ICO Website)

Birmingham Children’s Hospital NHS Foundation Trust (Breach Watch Archive)

Kent Police

What
Loss of personal data.

How much
Unknown.

Why
Theft of documents containing personal information from a police officer’s car while it was parked overnight.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies covering the transportation of data are made clear and are regulated. Where necessary staff must be given secure transportation and storage facilities for data outside of the office

Reason for action
The officer had not used his secure briefcase to transport the papers, nor had he been provided with a secure storage facility at his home in breach of the data controller’s policy

When
18 June 2010

Links
View PDF of the Kent Police Undertaking (Via ICO Website)

View PDF of the Kent Police Undertaking (Breach Watch Archive)

NHS Stoke-on-Trent

What

Possible loss of sensitive personal data.

How much

2,000 records

Why

Following a request for information about a patient’s medical records it was discovered that the physical paper records were not within the storage system, later enquiries revealed that about 2,000 records had not been stored

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate physical security for physical records is provided.

Reason for action

It is believed that the records may have been accidently destroyed or misfiled. Insufficient physical security and tracking was maintained.

When

11 May 2010

Links

View PDF of the NHS Stoke-on-Trent Undertaking (Via ICO Website)

View PDF of the NHS Stoke-on-Trent Undertaking (Breach Watch Archive)

King’s College London

What
Loss of sensitive personal data.

How much
About 200 records.

Why
A mini-Mac computer and several laptops were stolen from an academic office of the data controller in a teaching hospital.

In a second incident several months later two laptops were stolen from another teaching hospital.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
None of the machines were encrypted and it was discovered that the laptops were not normally locked away or physically secured when not in use. Enquiries revealed that staff training and awareness in relation to data protection responsibilities were inadequate. A similar incident had occurred in June 2009 but the data controller did not appear to have incorporated lessons learnt from that incident sufficiently into its wider policies and procedures.

When
5 May 2010

Links
View PDF of the King’s College London Undertaking (Breach Watch Archive)

Eastbourne Borough Council

What
Loss of personal data.

How much
Three records.

Why
Three unencrypted laptops were stolen from the general office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The office had a electronic lock that staff knew to be faulty and the laptops were neither encrypted  nor physically secured to the desks or locked away. The data controller had recently relocated and staff did not have access to the central network for some time, resulting in the use of the laptop to store and update a database containing personal information.

When
29 April 2010

Links
View PDF of the Eastbourne Borough Council Undertaking (Breach Watch Archive)

Bolton Youth Offending Team

What
Loss of sensitive personal data.

How much
Three records.

Why
A camcorder containing video footage of two young offenders apologising to their young victim was stolen. Two laptops, which did not contain personal data, were also stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The camcorder was stored in a locked cabinet, but the storage room which contained it was not locked and the windows used to gain entry did not provide adequate security. The video footage should have been removed from the camcorder and either stored appropriately or destroyed.

When
28 April 2010

Links
View PDF of the Bolton Youth Offending Team Undertaking (Breach Watch Archive)