Ministry of Justice

Breach details

What An unencrypted, non-password protected, portable hard drive stored in a prison’s Security Department and used to back up the prisoner intelligence database, was lost. This followed a virtually identical breach in 2011.
How much 16,000 records and 2,935 records.
When October 2011 and 24 May 2013.
Why The hard drive had last been used on 18 May 2013 for the weekly back up, but had not been locked up afterwards in a fireproof safe, as required. Following the previous breach in 2011 remedial action had been taken including the distribution of encrypted hard drives to 75 prisons that had previously been using unencrypted portable hard drives. However it was not realised that the encryption software on these new drives required manual activation. As a result prisoner intelligence information was being held on portable unencrypted devices in 75 prisons for a period of at least 12 months.

Regulatory action

Regulator ICO
Action Monetary penalty of £180,000
When 26 August 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: The Ministry failed to take appropriate technical measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as taking steps to ensure that the portable hard drives that were used to back up the prisoner intelligence database in 75 prisons had actually been encrypted.
Known or should have known The Ministry was aware that prisons across the entire estate were backing up this information on a weekly basis pending the implementation of a new intelligence system. As a result of a virtually identical security breach in October 2011, the data controller was also aware that the portable hard drives used to back up this intelligence information in 75 prisons were unencrypted. As it was routine to handle sensitive personal data relating to prisoners it should have been obvious that such a contravention would be of a kind likely to cause substantial damage and/or substantial distress to the data subjects
Likely to cause damage or distress This scale of the breach posed a significant risk of causing serious detriment to thousands of prisoners in England and Wales. The data subjects would be likely to suffer from substantial distress knowing that their confidential and sensitive personal data may be accessed by unauthorised third parties, aggravated by the fact that the hard drive has still not been recovered. If the data has in fact been accessed by untrustworthy third parties then it is likely that the contravention would cause further distress and substantial damage.

Treasury Solicitor’s Department

Breach details

What Disclosure of personal data.
How much 4 records.
When 06 February 2012, 24 August 2012, 30 August 2012 and 3 January 2013.
Why Three of these breaches involved case files containing un-redacted third party personal information to a claimant’s solicitor and the claimant themself. The fourth breach involved the sending of a case of papers relating to an unfair dismissal claim to an individual, although the papers contained personal information relating to another individual’s claim. All four of these breaches were self-reported. The Solicitor’s Department have some measures in place to safeguard personal data but there are gaps which are preventing further compliance.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 26 February 2014.
Details The Solicitor’s Department is to implement a clear, documented procedure for the preparation of information for disclosure within six months, as well as creating a structured, formal procedure concerning communication requirements between Junior and Senior lawyers carrying out the disclosure process. Mandatory training about the requirements of the Act is also to be given to all staff.

Better Together

Breach details

What Breach of the Privacy and Electronic Communications Regulations (PECR) – Sent text messages without the consent of the recipients.
How many 300,000 SMSs.
When 22 March 2013 and 27 April 2013.
Why Better Together were sending out text messages to individuals in Scotland regarding how they would vote in the Scottish Independence Referendum. However, they did not ensure the recipients had given their consent to be contacted as they believed another company had already done this on their behalf.

Regulatory action

Regulator ICO
Action Undertaking to comply with Regulation 22(2) of PECR.
When 19 November 2013.
Details Two rounds of texts were sent out even though Better Together had received a letter from the ICO warning them to comply with the law.

Great Ormond Street Hospital for Children NHS Foundation Trust

Breach details

What Letters containing medical information were sent to the wrong address.
How much 4 records.
When A period of 18 months up to November 2013.
Why Letters were sent out by temporary or bank staff who had not received relevant data protection training as such training was not required for temporary members of staff. Permanent staff were also not obliged to attend training as it was not enforced. In addition to this there were no policies or procedures in place to ensure the accuracy of addresses.

Regulatory action

ActionUndertaking to comply with the seventh data protection principle.

Regulator ICO
When 21 November 2013.
Details Temporary or bank staff must be provided with data protection training before working with personal and sensitive personal data and all training is to be monitored and attendance enforced. Processes are also to be put in place to ensure documents are sent to the right address and practical guidance is to be communicated to all staff.

Ministry of Justice

Breach details

What Emails containing sensitive personal data concerning prison inmates accidentally sent to members of the public. This information included coded offences, addresses, identifying physical characteristics and location within the prison.
How much Three emails containing the details of 1,182 prisoners.
When 04 July, 11 July and 01 August 2011.
Why Each day HMP Cardiff manually transfers prisoner details from their network system Quantum onto a biometrics database in order to facilitate visits and other prisoner movements. The data is copied and pasted through Windows Explorer and thus can remain on the clipboard of Quantum. On 01 August the prisoner details were accidentally attached to an email to a member of the public booking a visit to a family member in HMP Cardiff. The individual reported this incident the next day and it was only at this point that the previous two emails came to light as they had not been reported by their recipients or noticed by the prison. Each email was sent by the same recently appointed booking clerk. Shortly after the breach was reported each recipient confirmed in writing that the data had not been disseminated further and was fully deleted; physical access was allowed to confirm this for two of the recipients and the other had already double-deleted the message and attachment.

Regulatory action

Regulator ICO
Action Monetary penalty of £140,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: there should have been a more secure method of carrying out routine transfers of high volumes of personal data. More effective training and supervision should also have been provided, along with clear written procedures for the data transfers.

The monetary penalty notice has been imposed to promote compliance with the Act and standardisation across the prison service to prevent similar incidents occurring elsewhere.

Known or should have known As the Ministry of Justice routinely handles sensitive personal information and carries out high volume daily data transfers it should have been obvious that a breach could result in substantial distress and that there was a potential for human error in the absence of technical measures, written guidelines and appropriate training.
Likely to cause damage or distress The coded offences were deemed by the Commissioner to be particularly likely to cause damage or disress as almost all of the coded offences are easily recognisable. Fortunately the emails were only sent to one person on each occasion but had the data got into the wrong hands, such as an inmate’s rival, it would have raised the level of distress. The Prison decided not to disclose the breach to the prisoners as those at risk of self-harm might have suffered additional anxiety, confirming that some prisoners would suffer greater distress than others.

Bank of Scotland

Breach details

What Personal information including national insurance numbers, bank details, and photocopies of passports and driving licenses was faxed to a number of incorrect recipients.
How much An unknown number of records.
When February 2009 to February 2013.
Why During this four year period a number of faxes containing personal information were sent to incorrect recipients rather than the bank’s certal processing systems. These breaches occurred on different faxes in different locations, and were made by a large number of staff from different branches. This was due to misdialling and in particular the transposition of the numbers 2 and 8. Although the employees concerned were given training on this issue and a communication was sent alerting all members of staff to the issue of misdialling, this particular error was not raised.

BW Comments

The ICO has on many occasions indicated his dislike of faxing, especially if the errors occurred because of manual misdialling which could be rectified by only allowing pre-programmed numbers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 75,000.
When 30 July 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the bank failed to provide adequate training or to find a more secure means for the transmission of personal information.
Known or should have known The bank was aware that there were risks associated with sending information by fax as it had procedures in place to regulate this and instituted some training on the discovery of the first breach. However, the continuation of these breaches is testimony to the inefficacy of the taken measures.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. It also carries the risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

This is the third breach where a regulated firm where the FCA (FSA) has not taken action and has let the ICO take the lead in respect of a breach of personal data.

Mansfield District Council

Breach details

What Personal data of housing benefit claimants was disclosed to the wrong housing association.
How much An undisclosed number of records.
When August 2009 to November 2012
Why Correspondence containing personal data was sent in error by the council’s Revenues and Benefits service to a Mansfield housing association over an extended period.

BW Comments

What is interesting about this breach is that it was reported to the ICO by the housing authority that received the data in error, and not Mansfield Council. I suspect that the housing association will first have contacted the Council and after that had no effect on the incorrectly addressed correspondence (the breach continued for three years), alerted the Commissioner. The Council’s real failing was to not fix the problem when told about it.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 25 January 2013
Details Employees and any other staff with access to personal data must be made aware of, and trained in, the policy for storage and use of personal data. Training must be provided to contractors as well as staff, and records of training to be maintained.

BW Observations

The breach was almost certainly due to administrative human error; however our view is that the enforcement action was taken as a result of the council not fixing the problem when it was initially alerted. The core problem was that the council didn’t have a sufficiently robust plan to identify and rectify a data breach when it was first reported. The undertaking should have also included a requirement for the Council to develop and test a breach response plan, which identified data breaches and ensured they were rectified.

St George’s Healthcare NHS Trust

Breach details

What Loss of sensitive personal data.
How much Two records.
When 2011
Why Two letters containing confidential and highly sensitive personal data, relating to the subject’s medical condition, were sent to the wrong address, at which the subject had resided at 5 years previous. The patient’s current address had been provided when the patient was first referred to the data controller for a medical examination. It was also logged into the NHS SPINE, which was not aligned with iClip, the local patient administrative program. Staff involved with compiling the incorrectly addressed letters had received iClip training and were aware that addresses were not always in sync with SPINE, but no verbal checks of the data subject’s address were made.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 12 July 2012

Why the regulator acted

Breach of act Staff were not trained in the importance of checking names and addresses and the PDS function on iClip could be bypassed.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases and it was known that many staff found the iClip system difficult to use and tended to bypass or disable the PDS.
Likely to cause damage or distress Medical data.

Belfast Health and Social Care Trust

Breach details

What Loss of sensitive personal data.
How much About 10,000 records.
When May 2010
Why Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 225,000
When 19 June 2012

Why the regulator acted

Breach of act Site was insufficiently secure to prevent intrusion.
Inappropriate organisational and technical measures.
Known or should have known The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.
Likely to cause damage or distress Medical records and financial data of employees.

Telford & Wrekin Council

Breach details

What Inappropriate disclosure of sensitive personal data.
How much Two records over two incidents.
When 31 March 2011
Why On the first occasion a Social Worker sent a Social Care Core Assessment report to the child’s sibling instead of the mother. A second incident was reported by the Council to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother, in this incident the authority decided to move the children to a different foster carer.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 6 June 2012

Why the regulator acted

Breach of act There was no formal checking process in place to prevent documents being sent to the wrong recipients . Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases on a daily basis and were aware of the sensitivity of the data being handled. Two separate incidents occurred in 2 months.
Likely to cause damage or distress Data relating to vulnerable child in foster care.