London Clubs International Limited

What
Loss of personal data.

How much
26,000 records.

Why
An unencrypted laptop was stolen from the data controller’s premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. The physical security of such devices must be ensured.

Reason for action
The laptop was password protected, but not encrypted.

When
10 July 2009

Links
View PDF of the London Clubs International Limited Undertaking (Breach Watch Archive)

Counted4 CIC

What
Loss sensitive of personal data.

How much
84 records.

Why
A filing cabinet containing paper records referring to the personal details of 84 individuals undergoing Drug Rehabilitation Requirements was lost during an office move.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the physical security of personal data be ensured, especially during transit. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
A building contractor was employed to transport a number of cabinets to the new sit and insufficient organisational measures were made to prevent cabinets containing data for transfer from being mixed with obsolete cabinets to be disposed of.

When
9 July 2009

Links
View PDF of the Counted4 CIC Undertaking (Breach Watch Archive)

Oldham Council

What
Loss of sensitive personal data.

How much
220 records.

Why
13 unencrypted laptops were stolen during a burglary at secure council offices, with the exception of one stolen from a staff members car and another that was stolen during the course of a youth activity evening.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
Three of these unencrypted laptops held sensitive personal data and the council did not take adequate steps to safeguard the data, either through encryption, or better physical security in respect of the two laptops stolen outside of council property.

When
7 July 2009

Links
View PDF of the Oldham Council Undertaking (Breach Watch Archive)

Manchester City Council

What
Loss of personal data.

How much
1,754 records.

Why
Two unencrypted laptops were stolen from the internal audit offices in the Town Hall.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to ensure that laptops are safely stored and encrypted. Only personal data absolutely necessary for audit purposes may be downloaded to mobile devices  All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The laptops were not encrypted, password protected, or secured to immovable objects, in breach of a number of the data controllers’s internal policies and procedures, in which all staff had received training.

When
16 June 2009

Links
View PDF of the Manchester City Council Undertaking (Breach Watch Archive)

Epsom & St Helier University Hospitals NHS Trust

What
Insecure storage of sensitive personal data.

How much
“A large number”

Why
A reporter discovered the insecure storage of hospitals records relating to medical tests and treatment.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the possibility of unauthorised access to the data over the course of two years.

When
11 June 2009

Links
View PDF of the Epsom & St Helier University Hospitals NHS Trust Undertaking (Breach Watch Archive)

Chelsea & Westminster Hospital

What
Loss of sensitive personal data.

How much
143 records.

Why
An unencrypted memory stick containing patient information was stolen from an unattended and unlocked office being used for a walk in clinic.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The disc was not encrypted and in fact was not even password protected The employee was not aware that secure network drive and encryption facilities were available and had used a personal memory stick since Trust equipment was not available.

When
2 June 2009

Links
View PDF of the Chelsea & Westminster Hospital Undertaking (Breach Watch Archive)

The Highland Council

What
Loss of sensitive personal data.

How much
1,400 records.

Why
Two unencrypted laptops were stolen from a locked office on the data controller’s premises.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to ensure that laptops are safely stored and encrypted.

Reason for action
The laptops were not encrypted and no additional physical security measures were in place beyond being placed in a locked office.

When
2 June 2009

Links
View PDF of the Highland Council Undertaking (Breach Watch Archive)

Salford Royal NHS Foundation Trust

What
Loss of sensitive personal data.

How much
3,500 records.

Why
An unencrypted desktop computer containing personal data was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. Any data held on portable media must be encrypted and only held for as long as absolutely necessary. Mandatory induction data protection training must to given to all staff.

Reason for action
The desktop computer was not secured to the desk or encrypted. Initially the incident was treated only as a loss of equipment, resulting in a delay of over one month in reporting and investigating the loss of personal data.

When
22 May 2009

Links
View PDF of the Salford Royal NHS Foundation Trust Undertaking (Breach Watch Archive)

Doncaster Primary Care Trust

What
Loss of sensitive personal data.

How much
About 220,000 records.

Why
An obsolete out of hours GP service voice recording server that held the personal data of patients was removed without authorisation.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Adequate physical security measures must be put in place to protect such devices.

Reason for action
The obsolete server was removed by an external contractor’s engineer who installed a new server. The obsolete server was not missed until 3 weeks later when the new server failed. During this time the obsolete server was out of the Trust’s control for almost 3 weeks during which time it was briefly booted up twice. It is unlikely the clinical voice records it contained were accessed however.

When
27 April 2009

Links
View PDF of the Doncaster Primary Care Trust Undertaking (Breach Watch Archive)

Stockport NHS Foundation Trust

What
Loss of sensitive personal data.

How much
1,588 records.

Why
An unencrypted laptop containing sensitive personal data was stolen from a locked hospital room.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented. All such devices must be registered with the IT department. All staff must receive adequate data protection training.

Reason for action
The laptop was password protected but not encrypted. It had not been locked in a cabinet as was usual but was stored in a covered box under the desk. The laptop did not appear to have been registered with the Trust’s IT department.

When
25 March 2009

Links
View PDF of the Stockport NHS Foundation Trust Undertaking (Breach Watch Archive)