Healthcare Locums PLC (HCL)

What

Loss of personal information .

How much

Unknown.

Why

A Network Storage device containing records relating to doctors employed by the data controller was lost or stolen in transit during a move and was sold on eBay. It was eventually recovered.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that contracts are put in place between the Data controller and any contractors it uses to process personal data on its behalf, who must be sufficiently checked. Sufficient physical security measures must be implemented and records of data contained on physical media must be kept.

Reason for action

Neither the network storage device or the personal data contained within it were encrypted. No inventory of equipment being transported was taken and therefore the loss/theft of the device went unnoticed until the eBay buyer contacted the Data controller.

When

14 October 2010

Links

View PDF of the Healthcare Locums PLC Undertaking (Via ICO Website)

View PDF of the Healthcare Locums PLC Undertaking (Breach Watch Archive)

Yorkshire Building Society

What

Loss of personal information.

How much

A “substantial” number.

Why

Theft of an unencrypted laptop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that appliance with IT security policies is appropriately and regularly monitored.

Reason for action

The laptop was unencrypted and, contrary to policies and procedures the manager had written down passwords and left these and the laptop under his desk overnight.

When

26 August 2010

Links

View PDF of the Yorkshire Building Society Undertaking (Via ICO Website)

View PDF of the Yorkshire Building Society Undertaking (Breach Watch Archive)

DSG Retail

What

Loss of personal information.

How much

Over 100 records.

Why

Paperwork related to credit agreements was found in a skip near the premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will review its security measures and implement any necessarily security and monitoring measures.

Reason for action

The documents related to transactions two years prior and had been retained beyond the period specified in the data controller’s procedures. The normal procedure for disposing such documents (sending them to a central facility for secure shredding) had not been followed.

When

25 August 2010

Links

View PDF of the DSG Retail Undertaking (Via ICO Website)

View PDF of the DSG Retail Undertaking (Breachwatch Archive)

Zurich Insurance Plc (Zurich UK)

What

Loss of personal information including bank and credit card details and details of insured properties.

How much

46,000 records.

Why

Unencrypted backup tape lost by Data Processor.

Regulator

FSA

Regulatory action

Monetary penalty: £ 2,275,000

Reason for action

Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.

When

24 August 2010

Links

View the press release relating to Zurich Insurance on the FSA website

View PDF of the Zurich Insurance Final Notice (via FSA website)

View PDF of the Zurich Insurance Final Notice (Breachwatch archive)

Kent Police

What
Loss of personal data.

How much
Unknown.

Why
Theft of documents containing personal information from a police officer’s car while it was parked overnight.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies covering the transportation of data are made clear and are regulated. Where necessary staff must be given secure transportation and storage facilities for data outside of the office

Reason for action
The officer had not used his secure briefcase to transport the papers, nor had he been provided with a secure storage facility at his home in breach of the data controller’s policy

When
18 June 2010

Links
View PDF of the Kent Police Undertaking (Via ICO Website)

View PDF of the Kent Police Undertaking (Breach Watch Archive)

Lampeter Medical Practice

What
Loss of personal data.

How much
8,000 records.

Why
Loss of an unencrypted memory stick that was posted by recorded delivery.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that any portable media devices used to store data are sufficiently encrypted and that physical security measures are put in place to prevent unauthorised access to physical data, particularly in respect to the unauthorised use of memory sticks.

Reason for action
A practical database was downloaded, without authorisation onto an unencrypted and non password protected memory stick

When
26 May 2010

Links
View PDF of the Lampeter Medical Practice Undertaking (Via ICO Website)

View PDF of the Lampeter Medical Practice Undertaking (Breach Watch Archive)

Eastbourne Borough Council

What
Loss of personal data.

How much
Three records.

Why
Three unencrypted laptops were stolen from the general office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must at all times be adequate to prevent unauthorised access to personal data Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The office had a electronic lock that staff knew to be faulty and the laptops were neither encrypted  nor physically secured to the desks or locked away. The data controller had recently relocated and staff did not have access to the central network for some time, resulting in the use of the laptop to store and update a database containing personal information.

When
29 April 2010

Links
View PDF of the Eastbourne Borough Council Undertaking (Breach Watch Archive)

NCL (Bahamas) Ltd

What
Loss of personal data.

How much
80 records.

Why
A computer printout containing payroll information relating to the data controller’s UK employees was believed to have been stolen during an office move.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are at all times adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data. Adequate provision must be made for the secure transfer of personal data and procedures for this must be communicated to all staff, including removal contractors, in advance of any future office move or reorganisation.

Reason for action
The records were believed to have been stolen and were not suitably secure.

When
26 April 2010

Links
View PDF of the NCL (Bahamas) Ltd Undertaking (Breach Watch Archive)

South Yorkshire Pensions Authority

What
Loss of personal data.

How much
9,140 records.

Why
An unencrypted cd containing personal data relating to 9,140 pension scheme members was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The cd was being used as a working copy by administrative staff in the office environment and there was no indication it had been stolen. It had been created to provide staff easy access to data without full consideration of data security implications.

When
22 April 2010

Links
View PDF of the South Yorkshire Pensions Authority Undertaking (Breach Watch Archive)

The Royal London Mutual Insurance Society Ltd

What
Loss of personal data.

How much
2,135 records.

Why
18 laptops were lost or stolen from the data controller’s Edinburgh offices, two of which were unencrypted and contained personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
An internal investigation revealed that the data controller was uncertain of the precise location of these laptops at any given time. Physical security was insufficient and managers were unaware that the two laptops contained personal data.

When
16 March 2010

Links
View PDF of the Royal London Mutual Insurance Society Ltd Undertaking (Breach Watch Archive)