Dr. Pervinder Sanghera of Arthur House Dental Care

What

Loss of personal and limited sensitive personal data.

How much

Unknown.

Why

An unencrypted USB stick containing records relating to patients and employees of Arthur House Dental Care was found in a public place. A number of spreadsheets containing personal data stored on the device were password protected.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store and transport personal data are sufficiently encrypted. Staff must be trained not to take data off site unless necessary.

Reason for action

The memory stick had been utilised as a temporary back-up solution when the existing electronic back-up system at the practice failed. As a result of the back-up failure the memory stick was moved from the dental practice to the data controller’s home for safekeeping on a number of occasions. It is likely the memory stick was lost in transit.

When

01 March 2012.

Links

View PDF of the Dr. Previnder Sanghera Undertaking (Via ICO Website)

View PDF of the Dr. Previnder Sanghera Undertaking (Breach Watch Archive)

Turning Point

What

Loss of personal data.

How much

Three records.

Why

Three service user’s files were lost following the relocation of premises. It is believed that that the files were unintentionally destroyed in confidential waste.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any policies introduced in relation to the storage, movement and use of personal data are implemented and communicated in all Turning Point offices.

Reason for action

Inquiries revealed that this was the second incident of the same nature within a year and despite implementing a number of safeguards during this relocation, there was no formal written policy in place to cover the relocation of files containing personal data.

When

10 February 2012.

Links

View PDF of the Turning Point Undertaking (Via ICO Website)

View PDF of the Turning Point Undertaking (Breach Watch Archive)

Fairbridge

What

Loss of personal data on two occasions.

How much

325 and 16 records.

Why

On two separate occasions password protected, but unencrypted laptops were lost. One was left on a bus and the second was reported missing by an employee while boarding a plane in a Spanish airport.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted.

Reason for action

Whilst neither laptop has been recovered to date they did not contain any sensitive personal data. Since the incident occurred the data controller has ensured the encryption of mobile devices that contain personal data and provided all employees with data protection training.

When

10 February 2012.

Links

View PDF of the Fairbridge Undertaking (Via ICO Website)

View PDF of the Fairbridge Undertaking (Breach Watch Archive)

Craven District Council

What

Loss of personal data.

How much

2,300 records.

Why

An unencrypted laptop containing a database with child swimming lessons was stolen from a ground level office at a swimming pool.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted. These devices must be secured when not in use.

Reason for action

Despite several security devices and the rapid arrival of police officers the thief was able to remove the laptop and escape, as the laptop was left unsecured on a desk in a position where it could be seen from outside the office.

When

10 February 2012.

Links

View PDF of the Craven District Council Undertaking (Via ICO Website)

View PDF of the Craven District Council Undertaking (Breach Watch Archive)

Basingstoke and Deane Borough Council

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)

Southampton City Council

What
Breach of the Data Protection Act

How much
Unknown.

Why
The data controller required taxi operators to record all conversations and images while the vehicles were in use.

Regulator
ICO

Regulatory action
Enforcement Notice issued, requiring the data controller to erase any personal data in the audio recordings that have already been obtained and held, and refrain from recording any such personal data in the future.

Reason for action
The recording policy was considered unnecessary and fundamentally invasive to private individuals using the car, be they driver or passenger.

The Enforcement notice was upheld on appeal to the first-tier (Information Rights) tribunal.When
7 February 2012

Links
View PDF of the Southampton City Council Enforcement Notice (Via ICO Website)

View PDF of the Southampton City Council Enforcement Notice (Breach Watch Archive)

Manpower UK Ltd

What

Inappropriate disclosure of personal data.

How much

400 records.

Why

A spreadsheet containing 400 people’s personal details was accidentally email to 60 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of policies regarding the transmission of personal data via email, included the need to password protect or encrypt the data according to the sensitivity of the data and the risk to the data subjects.

Reason for action

The employee had initially believed that the spreadsheet contained only the employee numbers of those 60 staff. However the data was transmitted unsecured over the internet and it could not be confirmed that all recipients had deleted the email as requested

When

20 January 2012.

Links

View PDF of the Manpower UK Ltd Undertaking (Via ICO Website)

View PDF of the Manpower UK Ltd Undertaking (Breach Watch Archive)

Richard Dominic Preston

What

Loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted laptop from the data controller’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store personal data are encrypted to a sufficient standard.

Reason for action

Although much of the data on the laptop would have been in the public domain, it included email correspondence relating to legal cases.

When

06 December 2011.

Links

View PDF of the Richard Dominic Preston Undertaking (Via ICO Website)

View PDF of the Richard Dominic Preston Undertaking (Breach Watch Archive)

Rochdale Metropolitan Borough Council

What

Loss of personal data.

How much

“Thousands”

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issues to ensure that all portable media devices used to store personal data are sufficiently encrypted and that policies and procedures on the storage, processing, transmission and disposal of personal data shall be reviewed and revised by no later than 1 December 2011.

Reason for action

Although much of the data on the USB stick was already available in the public domain it became clear during investigations that data protection training was insufficient and that encrypted memory sticks were not provided in those cases when more private data would have been stored.

When

03 November 2011.

Links

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Breach Watch Archive)

Spectrum Housing Group

What

Personal data relating to employees accidently sent to an outside recipient.

How much

200 records.

Why

Records accidently sent to an outside recipient due to the data controllers’ e-mail system automatically predicting the intended recipient based on previous sent messages.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that personal data will only be sent by email when necessary. Data should be made secure and staff should be made aware of company policies.

Reason for action

Insufficient measures were taken to prevent an accidental loss of unsecured personal information.

When

19 October 2011.

Links

View PDF of the Spectrum Housing Group Undertaking (Via ICO Website)

View PDF of the Spectrum Housing Group Undertaking (Breach Watch Archive)