NCL (Bahamas) Ltd

What
Loss of personal data.

How much
80 records.

Why
A computer printout containing payroll information relating to the data controller’s UK employees was believed to have been stolen during an office move.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are at all times adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data. Adequate provision must be made for the secure transfer of personal data and procedures for this must be communicated to all staff, including removal contractors, in advance of any future office move or reorganisation.

Reason for action
The records were believed to have been stolen and were not suitably secure.

When
26 April 2010

Links
View PDF of the NCL (Bahamas) Ltd Undertaking (Breach Watch Archive)

Ysgol Bro Famau

What
Loss of sensitive personal data.

How much
A few records.

Why
A computer containing sensitive personal data relating to the data controller’s pupils was stolen from an administration.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The computer was stored on a desk in view of an insecure window. It was protected by a password but not encrypted. Investigations revealed that staff needed further training in data protection and that physical security was inadequate.

When
16 April 2010

Links
View PDF of the Ysgol Bro Famau Undertaking (Breach Watch Archive)

Warwickshire County Council

What
Loss of sensitive personal data.

How much
A few records.

Why
Two unencrypted laptops containing personal data relating to staff and pupils at a particular school were stolen. In a separate incident an unencrypted USB stick was lost or stolen from the administrative office of an education centre.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptops recorded data relating to two schools which were merging and had not been encrypted as they were only being used as a temporary measure in an office environment. Enquiries revealed that there were insufficient physical security measures in place and that the data controller was carrying out an incomplete program of encryption of portable devices.

The USB stick held minimal personal data, but an internal investigation revealed a lack of awareness of data protection requirements among staff and recommended further training and use of encrypted media.

When
19 March 2010

Links
View PDF of the Warwickshire County Council Undertaking (Breach Watch Archive)

The Royal London Mutual Insurance Society Ltd

What
Loss of personal data.

How much
2,135 records.

Why
18 laptops were lost or stolen from the data controller’s Edinburgh offices, two of which were unencrypted and contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
An internal investigation revealed that the data controller was uncertain of the precise location of these laptops at any given time. Physical security was insufficient and managers were unaware that the two laptops contained personal data.

When
16 March 2010

Links
View PDF of the Royal London Mutual Insurance Society Ltd Undertaking (Breach Watch Archive)

St Albans City and District Council

What
Loss of personal data.

How much
15,333 records.

Why
Four unencrypted laptops were stolen, one of which contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data. Adequate security checks must be carried out on contractor’s staff.

Reason for action
The laptop containing personal data was unencrypted (yet met Council IT security policy at the time) and contained redundant election data that had not been removed in a reasonable amount of time. It was later taken by contracted IT staff and left unsecured, later discovered to be missing along with 3 other laptops.

When
5 March 2010

Links
View PDF of the St Albans City and District Council Undertaking (Breach Watch Archive)

Alzheimer’s Society

What
Loss of sensitive personal data.

How much
Approximately 1,000 records.

Why
Several unencrypted laptop computers, one of which contained personal data, were stolen from the data controller’s Cardiff Office during a burglary.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptops had been returned to the office for encryption, but this had not yet taken place when the theft occurred. The laptops were neither physically secured by cable locks, nor locked away securely. This was the third data security incident reported to the Commissioner during 2009. It was also revealed that staff did not receive any formal data protection training.

When
1 February 2010

Links
View PDF of the Alzheimer’s Society Undertaking (Breach Watch Archive)

Southampton University Hospitals NHS Trust

What
Loss of sensitive personal data.

How much
Approximately 33,000 records.

Why
An unencrypted laptop was stolen from a retinal screening vehicle.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The vehicle was left unlocked and unattended during the theft.

When
14 December 2009

Links
View PDF of the Southampton University Hospitals NHS Trust Undertaking (Breach Watch Archive)

Great Yarmouth & Waveney Primary Care Trust

What
Loss of sensitive personal data.

How much
1,000 records.

Why
Two desktop computers were stolen from premises with minimal security.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted and password protected. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The desktop computers were both unencrypted and without password protection. The data held on these computers should have been held on a network server. The premises where the computers were stored had no intruder alarm or security locks.

When
3 November 2009

Links
View PDF of the Great Yarmouth & Waveney Primary Care Trust Undertaking (Breach Watch Archive)

NHS Grampian

What
Loss of sensitive personal data.

How much
About 1,700 records.

Why
Three separate incidents.

  • The inappropriate distribution of an email containing sensitive personal data relating to an individual.
  • Documents containing personal data of around 200 patients and staff were taken from a confidential waste bag.
  • An unencrypted laptop containing the personal data of over 1500 patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transport personal data are suitably encrypted. Any personal data stored on portable devices must be backed up to the network server on a daily basis. Confirmation of success is to be obtained from the IT department and any failure corrected without delay. All staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.

Reason for action

  • A senior nursing manager distributing an email from another senior manager to over 50 other staff without first consulting either the sender of the data controller’s Information Governance Manager.
  • Documents were removed from a confidential waste bag held at a nursing station on the labour ward and sent to the data controller’s Chief Executive, claiming they’d been found in a skip. Investigations revealed that access to this waste could have been gained by staff, patients and even visitors. Many staff were unaware of the correct policies for disposing of sensitive waste.
  • An unencrypted laptop containing the entire database of patients suffering from a particular disease was stolen from a locked office. The laptop had not been successfully backed up to the data controller’s network server in the month prior to the theft, meaning that a small amount of this data was only stored on the laptop.
  • Finally the enquiries into these incidents revealed that certain staff were using home computers for work-related tasks involving personal data and then transferring that work via unencrypted USB sticks, in breach of the data controller’s policies and procedures.

When
3 September 2009

Links
View PDF of the NHS Grampian Undertaking (Breach Watch Archive)

HSBC Life (UK)

What

  • Loss of personal data.
  • General lack of controls

How much

180,000 records.

Why

Loss of unencrypted CD in the post.

Regulator

FSA

Regulatory action

Monetary penalty – £1,610,000

Reason for action

Systemic organisational failings in InfoSec. No risk assessment. Repeated transmission of unencrypted data. Customer data held insecurely in office.

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Life (UK) Final Notice (via FSA website)

View PDF of the HSBC Life (UK) Final Notice (Breachwatch archive)