Dumfries and Galloway Council

What

Accidental online disclosure of staff’s personal information.

How much

887 records.

Why

Records were accidently published online in response to a Freedom of Information (Scotland) Act request.

Regulator

ICO

Regulatory action

Undertaking issued to undergo an externally commissioned audit and to put it place checks to prevent another such occurrence.

Reason for action

Insufficient measures were taken to prevent an accidental loss of unsecured personal information.

When

17 October 2011.

Links

View PDF of the Dumfries and Galloway Council Undertaking (Via ICO Website)

View PDF of the Dumfries and Galloway Council Undertaking (Breach Watch Archive)

Walsall Council

What

Accidental disposal of personal data.

How much

951 records.

Why

The appointed data processor accidentally disposed of postal vote statements in a skip.

Regulator

ICO

Regulatory action

Undertaking issued to insure that in the future a written contract exists between data processors and the controller.

Reason for action

There was no written contract between the data controller and the data processor..

When

09 September 2011.

Links

View PDF of the Walsall Council Undertaking (Via ICO Website)

View PDF of the Walsall Council Undertaking (Breach Watch Archive)

Lewisham Council and Wandle Housing Association

What

Loss of personal data.

How much

20,000 records.

Why

Loss of an unencrypted memory stick in a London pub.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is not transferred onto unencrypted personal media devices.

Reason for action

Staff were insufficiently trained and unaware of the dangers of copying sensitive information to personal, unsecure, devices.

When

04 August 2011.

Links

View PDF of the Lewisham Council Undertaking (Via ICO Website)

View PDF of the Lewisham Council Undertaking (Breach Watch Archive)

View PDF of the Wandle Housing Association Undertaking (Via ICO Website)

View PDF of the Wandle Housing Association Undertaking (Breach Watch Archive)

Kirklees Metropolitan Council

What

Personal data unnecessarily disclosed.

How much

18 records.

Why

Records let visible in an employees’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient security measures are implemented and checked to prevent inappropriate disclosure of personal data.

Reason for action

Similar accidental disclosures had already occurred during the past year and insufficient measures had been put into place to prevent any reoccurrences.

When

29 July 2011.

Links

View PDF of the Kirklees Metropolitan Council Undertaking (Via ICO Website)

View PDF of the Kirklees Metropolitan Council Undertaking (Breach Watch Archive)

University of York

What

Loss of personal data.

How much

148 records.

Why

Failure to close a test area on the University’s website that contained student records.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that university IT staff ensure the appropriate security of all data following maintenance.

Reason for action

Insufficient managerial control was in place to ensure that the test version of the database was deleted.

When

20 July 2011.

Links

View PDF of the University of York Undertaking (Via ICO Website)

View PDF of the University of York Undertaking (Breach Watch)

Freehold Community School

What

Loss of personal data.

How much

90 records.

Why

An unencrypted laptop and paper work was stolen from a teacher’s car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are suitably encrypted.

Reason for action

The data controller was unaware of the necessity to ensure the encryption of portable media devices.

When

21 April 2011.

Links

View PDF of the Freehold Community School Undertaking (Via ICO Website)

View PDF of the Freehold Community School Undertaking (Breach Watch Archive)

Aramark Ltd.

What

Loss of personal information.

How much

109 records.

Why

Paperwork and an unencrypted laptop were stolen in-transit.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and are only taken off site when absolutely necessary.

Reason for action

Although the laptop was password protected, this was insufficient security, given the sensitive nature of the data it contained

When

24 February 2011.

Links

View PDF of the Aramark Ltd. Undertaking (Via ICO Website)

View PDF of the Aramark Ltd. Undertaking (Breach Watch Archive)

Isle of Anglesey County Council

What

Loss of sensitive personal information.

How much

Unknown.

Why

Undertaking issued to ensure that any processing of data by another party in carried out under a written contract with instructions regarding security and processing clearly outlined.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The data controller has no written contract in place with the data processor, nor had the controller provided instructions on the security and processing of the data. Both of these violate the Act.

When

18 February 2011.

Links

View PDF of the Isle of Anglesey County Council Undertaking (Via ICO Website)

View PDF of the Isle of Anglesey County Council Undertaking (Breach Watch Archive)

Independent Parliamentary Standards Authority (IPSA)

What

Potential loss of personal data.

How much

332 records.

Why

An internal database was left insecure for a period of about 21 hours following IT maintenance.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that appropriate changes are made to the records system to prevent any future errors.

Reason for action

A mistake made during IT maintenance made personal records visible to all MPs and their nominated staff who had access to the internal system.

When

12 November 2010

Links

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Via ICO Website)

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Breach Watch Archive)

Rainforest Alliance Ltd

What

Potential loss of personal data.

How much

Unknown.

Why

Theft of an unencrypted Laptop during a domestic burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that staff are sufficiently trained and monitored in the Data controllers security policies.

Reason for action

Although the laptop was password protected and used with permission it was not encrypted and it emerged that only some of the data it contained had been backed up on the office server. It was concluded that the data controller had not provided adequate guidance on physical security.

When

11 November 2010

Links

View PDF of the Rainforest Alliance Ltd Undertaking (Via ICO Website)

View PDF of the Rainforest Alliance Ltd Undertaking (Breach Watch Archive)