Ipswitch Hospital NHS Trust

What
Loss of sensitive personal data.

How much
30 records.

Why
A ward handover sheet was found outside the data controller’s premises. This was the second time inside a year that such an incident had been reported to the Commissioner.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all staff are made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it.

Reason for action
Following the incident in 2008 recommendations had been made to minimise the risk of such documents going astray, including instructions to dispose of these in confidential waste and never to remove them from Trust premises, but it was clear that these had not been adhered to by staff.

When
25 August 2009

Links
View PDF of the Ipswich Hospital NHS Trust Undertaking (Breach Watch Archive)

HSBC Life (UK)

What

  • Loss of personal data.
  • General lack of controls

How much

180,000 records.

Why

Loss of unencrypted CD in the post.

Regulator

FSA

Regulatory action

Monetary penalty – £1,610,000

Reason for action

Systemic organisational failings in InfoSec. No risk assessment. Repeated transmission of unencrypted data. Customer data held insecurely in office.

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Life (UK) Final Notice (via FSA website)

View PDF of the HSBC Life (UK) Final Notice (Breachwatch archive)

Phones 4U Ltd

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from a refuse bin outside the Phones 4U premises in Market Way, Coventry, and Regent Street, Swindon. The information included documentation showing customer names and addresses, and bank account details.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all paper waste generated is to be treated as confidential and shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
17 May 2007

Links
View PDF of the Phones 4U Ltd Undertaking (Breach Watch Archive)

The Royal Bank of Scotland plc

What
Loss of personal data

How much
23 records.

Why
Items of personal data were recovered from refuse bins outside branches in Fareham, Manchester, Nottingham and Glasgow, including documents relating to individual accounts and application forms, a private banking form and a photocopy of a customer’s provisional driving license.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to all relevant staff.

Reason for action
The ICO had received complaints about the data controller’s breach of the Seventh Data Protection Principle.

When
23 February 2007

Links

View PDF of the Royal Bank of Scotland plc Undertaking (Breach Watch Archive)

National Westgate Bank plc

What
Loss of personal data

How much
8 records.

Why
Items of personal data were recovered from refuse bins outside branches in Manchester and Southampton, including fax copies of insurance forms, two cut up debit cards and a list of a customers standing orders and direct debits.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of personal data and that appropriate data protection training is given to all relevant employees.

Reason for action
The ICO had received complaints about Westgate Bank’s failure to adhere to the Seventh Data Protection Principle.

When
23 February 2007

Links
View PDF of the National Westgate Bank plc Undertaking (Breach Watch Archive)

Barclays Bank plc

What
Loss of personal data

How much
6 records.

Why
A Barclaycard was found cut up into four pieces in a refuse bin outside the Park Gate Branch and four cut up debit/visa cards were found along with a deposit envelop in a refuse bin outside the Bristol branch.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to relevant staff and all third parties and sub-contractors comply with the data controller’s data protection principles.

Reason for action
Policies for secure disposal of confidential waste were insufficient.

When
2 February 2007

Links
View PDF of the Barclays Bank PLC Undertaking (Breach Watch Archive)