Tameside Energy Services Ltd

Breach details

What Serious breach of the Privacy and Electronic Communications Regulations (PECR).
A high volume of unsolicited marketing calls to consumers that had registered with the Telephone Preference Service (TPS) that continued despite customer complaints and requests to unsubscribe.
How much An unknown number of direct marketing calls resulting in 1,010 TPS complaints and 60 complaints directly to the ICO (8 of which were duplicates), making a total of 1,062 complaints.
When 26th May 2011 to 31 January 2013.
Why Failed to screen calls effectively against a current Telephone Preference Service (TPS) list or maintain an opt-out register.

Regulatory action

Regulator ICO
Action Monetary penalty of £45,000.
Enforcement notice issued to ensure that Tameside does not make unsolicited marketing calls to individuals registered with TPS, or who have notified Tameside that they do not want to receive further calls, within 28 days.
When 5 July 2013.

Why the regulator acted

Breach of act Breach of Regulation 21: repeatedly ignored provisions that marketing calls should not be made to individuals who had registered with TPS.
Known or should have known Concerns over PECR obligations were first raised by the Commissioner in May 2012. The volume of complaints made before and after the Commissioner’s letter of May 2012 would have made the company aware that they were continually breaching regulations.
Likely to cause damage or distress. The overall level of distress was assessed as substantial due to the very large numbers of individuals affected. A small number of individuals also personally suffered substantial levels of distress.

Bedford Borough Council

Breach details

What Sensitive personal data including the mental and physical health of the data subjects held in a social care database.
How much One record.
When Unknown.
Why A record held in the Council’s social care database was compromised by the inappropriate actions of two employees. A local governmental reorganisation in April 2009 had left Central Bedfordshire Council and the data controller with non-relevant records which were in the process of being removed at the time of the incident.

BW Comments

This is closely linked to the undertaking signed by Central Bedfordshire Council.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 10 September 2012
Details The social care database was to be completely cleansed of unnecessary data from the previous local authority by 31 March 2013, and security measures were to be implemented to protect personal data.

BW Observations

As with the Central Bedfordshire Council undertaking there is no explanation provided by the Commissioner about the delay in publishing this undertaking although this is probably related to the appeal to the Information Tribunal by Central Bedfordshire Council being withdrawn.

Halton Borough Council

Breach details

What Details of adoptive parents accidentally disclosed to birth parents.
How much 1 record.
When 25 May 2012
Why An employee mistakenly included the address of a child’s adoptive parents in a ‘letterbox’ letter to the birth mother. The birth mother passed the address on to her own parents, who wrote to the adoptive parents seeking contact with the child. The grandparents then made an application to the Court for direct contact with their grandchild, which was refused following two hearings, and the grandparents had to undertake only to use the Council’s ‘letterbox’ procedure for contact.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures to prevent accidental disclosure, such as implementing a peer-checking process and a clear checklist of requirements.
Known or should have known Because of the very nature of the ‘letterbox’ process which was designed to protect the identities of adoptive and birth parents, the council should have known that this type of issue was a risk, and that a breach of confidentiality would cause ‘substantial distress’. The council should therefore have taken steps to prevent the problem arising.
Likely to cause damage or distress This contravention was of a kind likely to cause substantial distress and on this occasion resulted in what a court deemed to be ‘inappropriate contact’.

–>

Isle of Anglesey County Council

Breach details

What Loss of personal data and in one case loss of sensitive personal data.
How much Unknown
When Several incidents in early 2012
Why Documents containing personal data were inappropriately disclosed or disposed of, or put at risk of unauthorised access. The council had an out of date data protection policy, and provided insufficient data protection training.

BW Comments

The undertaking is very vague, and doesn’t provide specific details of what happened to cause the data losses, or why.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 20 December 2012
Details The data conroller is to ensure that all policies and procedures are up to date and in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

BW Observations

It is almost as if the council, as part of its self-reporting, suggested the necessary remedial action.

Torbay Care Trust

Breach details

What Loss of sensitive personal data.
How much 1,373 records.
When April 2011
Why Sensitive personal information relating to 1,373 employees was published on the Trust’s website in an excel spreadsheet intended to display equality and diversity metrics. This information was publicly available for over 19 weeks.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000
When 6 August 2012

Why the regulator acted

Breach of act Staff received no guidance as to what information should not be published. No checking processes were in place to prevent excessive information being published.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees and should have recognised the potential for human error when uploading data to its website in the absence of appropriate security measures.
Likely to cause damage or distress Financial and Medical data. May have been accessed by untrustworthy third parties.

Marston Properties

What
Loss of personal data

How much
37 records.

Why
37 staff members’ details were lost when the filing cabinet the information was stored in was sent to a recycling centre and crushed.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

Reason for action
The data controller had established procedures, but did not have a specific written information handling policy in place and employees had not received formal data protection training.

When
6 August 2012

Links
View PDF of the Marston Properties Undertaking (Via ICO Website)

View PDF of the Marston Properties Undertaking (Breach Watch Archive)

The Lancaster Constabulary

Breach details

What Loss of sensitive personal data.
How much “Several” records.
When 17 July 2011
Why xxx.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that hard copy documentation contains the minimum amount of personal data necessary and is only taken out of the station when absolutely necessary. A written policy detailing these responsibilities must be produced and staff must be trained in these policies.
When 14 March 2012

Why the regulator acted

Breach of act Report lost and printed in a newspaper. Inappropriate organisational and technical measures.
Known or should have known Policies in place marked such data as highly sensitive, but no policies were in place to cover security outside of the station.
Likely to cause damage or distress Report related to vulnerable children and sex crimes.

Enable Scotland (Leading the Way)

What

Loss of sensitive personal data.

How much

101 records.

Why

Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.

Reason for action

The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.

When

09 March 2012.

Links

View PDF of the Enable Scotland (Leading the Way) Undertaking (Via ICO Website)

View PDF of the Enable Scotland (Leading the Way) Undertaking (Breach Watch Archive)

London Borough of Croydon

What

Loss of sensitive personal data.

How much

Unknown.

Why

A bag belonging to a social worker employed in the Council’s Children and Young Peoples’ Department was stolen from a public house in London. The bag contained a hard copy file of papers concerning a child in the care of the council.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will draft and implement a formal policy covering the storage, physical security, transportation, use and disposal of personal data outside of the office environment. Compliance with this policy must be monitored.

Reason for action

The Information Commissioner concluded that an apparent lack of effective controls and procedures for taking information out of the office was a major contributor to the loss of highly personal data. It was also felt that further staff trained was needed.

When

01 March 2012.

Links

View PDF of the London Borough of Croydon Undertaking (Via ICO Website)

View PDF of the London Borough of Croydon Undertaking (Breachwatch Archive)

Chartered Institute of Public Relations

What

Loss of sensitive personal data.

How much

30 records.

Why

30 Membership forms were lost on a train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a document is created that clearly outlines all employees’ responsibilities in terms of the storage, transmission, use and disposal of personal data. All necessary amendments must be made by 31 January 2012

Reason for action

The organisation did not have a written policy in place for handling personal data outside of the office at the time of incident.

When

18 January 2012.

Links

View PDF of the Chartered Institute of Public Relations Undertaking (Via ICO Website)

View PDF of the Chartered Institute of Public Relations Undertaking (Breach Watch Archive)