Orbit Heart of England Housing Association

What
Loss of sensitive personal data.

How much
1,000 records.

Why
57 paper files went missing at the time of an office move, although 42 of them had been recovered intact.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all staff are made aware of and, trained to follow, the data controller’s new procedures with regards to office moves.

Reason for action
Investigations revealed that no inventory of files had been made prior to the move, so staff were initially uncertain as to how many files should have been received at the new office and that many of the files had not be unpacked after 6 months.

When
30 November 2009

Links
View PDF of the Orbit Heart of England Housing Association Undertaking (Breach Watch Archive)

Mid Staffordshire NHS Foundation Trust

What
Loss of sensitive personal data.

How much
About three records.

Why
A member of the trust’s HR department saved a “Statement of Case” on a home computer in contravention of trust policy.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are adequate to prevent unauthorised access to personal data. The policy covering the storage and use of personal data must be followed by staff, especially when working from home. Trust policies must be amended to include explicit reference to staff data in terms of protecting personal information. Portable media devices must be suitably encrypted.

Reason for action
The information on the computer had not been password protected or encrypted. The Trust initially failed to demonstrate appropriate urgency in the securing of the data concerned.

When
2 October 2009

Links
View PDF of the Mid Staffordshire NHS Foundation Trust Undertaking (Breach Watch Archive)

Billing Pharmacy Limited

What
Loss of sensitive personal data.

How much
About 1,000 records.

Why
An unencrypted computer containing the personal data of around 1,000 patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices and computers used to store or transport personal data are suitably encrypted. A data protection policy must be drafted and all staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.

Reason for action
It was not possible to notify the patients affected by the theft as the data on the computer was not separately backed up. Further enquiries revealed that the data controller did not have in place appropriate policies and procedures with regards to data protection matters.

When
8 September 2009

Links
View PDF of the Billing Pharmacy Limited Undertaking (Breach Watch Archive)

Jubilee Managing Agency Ltd

What
Loss of personal data.

How much
Around 2,100 records.

Why
An unencrypted disc containing personal data was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Personal data must not be kept any longer than absolutely necessary. Written data protection procedures must adopted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The disc was unencrypted and contained data relating to policies which had expired, or been cancelled, in some cases over 10 years ago. An investigation revealed that staff had insufficient internal training.

When
23 June 2009

Links
View PDF of the Jubilee Managing Agency Ltd Undertaking (Breach Watch Archive)

The University of Manchester

What
Loss of sensitive personal data.

How much
About 2,300 records.

Why
A computerised spreadsheet containing the personal data of some 1,755 was published when it was accidently sent as an attachment of an email by a member of the University staff and forwarded to some 469 students..

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. Policies on the transfer, sharing and publication of personal data must me made clear and all staff must receive adequate training in order to fulfil their obligations under such policies.

Reason for action
The data controller did not on this occasion ensure that adequate measures were taken to prevent the inappropriate internal transfer of the information.

When
15 April 2009

Links
View PDF of the University of Manchester Undertaking (Breach Watch Archive)