Royal Wolverhampton Hospitals NHS Trust

What

Loss sensitive of personal information.

How much

112 records.

Why

An unencrypted CD containing scans of patients’ records was found at a nearby bus stop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and trained in the data controller’s policies for the storage and management of data. Patient charts released to consultants are to be signed for on receipt and are to be chased for return within a week and weekly thereafter.

Reason for action

The CD was unencrypted and not password protected. The patient charts it contained were several years old. It was unclear how exactly the CD had came to be made. Any patient charts released to consultants would not be chased for return for a month.

When

19 August 2010

Links

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Breach Watch Archive)

Basingstoke and North Hampshire NHS Trust

What
Unnecessarily sharing of sensitive personal data

How much
917 records

Why
An excessive amount of data was emailed to another Trust partner via a non-secure email account

Regulator
ICO

Regulatory action
Undertaking issued to ensure that staff are given sufficient training and that only the minimum data for the intended purpose is extracted or transferred.

Reason for action
The spreadsheet containing the records was not passport protected and the department had no “business need” to have access to the clinical data.

When
15 June 2010

Links
View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Via ICO Website)

View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Breach Watch Archive)

Ysgol Bro Famau

What
Loss of sensitive personal data.

How much
A few records.

Why
A computer containing sensitive personal data relating to the data controller’s pupils was stolen from an administration.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The computer was stored on a desk in view of an insecure window. It was protected by a password but not encrypted. Investigations revealed that staff needed further training in data protection and that physical security was inadequate.

When
16 April 2010

Links
View PDF of the Ysgol Bro Famau Undertaking (Breach Watch Archive)

Redstone Mortgages Ltd

What
Loss of personal data.

How much
15,333 records.

Why
15,333 mortgage records were emailed to a member of the public by accident.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all reports containing personal data are suitably password protected and that this provision in entered into any contracts between the data controller and any data processors acting on its behalf.

Reason for action
The data was being transmitted to the data controller’s head office and several other recipients as part of a monthly analysis report. One of the recipients used an email address that was similar to a member of the public’s, which was mistakenly entered. The data was not encrypted or password protected.

When
19 February 2010

Links
View PDF of the Redstone Mortgages Ltd Undertaking (Breach Watch Archive)

The Association of Teachers and Lecturers

What
Loss of sensitive personal data.

How much
Approximately 6,282 records.

Why
An unencrypted laptop computer and memory stick were lost or stolen from a roadside vehicle as an ATL staff member was packing his car.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Staff will be prohibited from storing data on personal memory sticks. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The laptop was the property of ATL and contained sensitive personal data relating to some 6,282 union members. The memory stick was personally owned by the member of staff and contained duplicates of 3,366 of the laptop records.

When
14 January 2010

Links
View PDF of the Association of Teachers and Lecturers Undertaking (Breach Watch Archive)

Shropshire Council

What
Loss of sensitive personal data.

How much
3,742 records.

Why
An unencrypted memory stick containing a social care management database was lost during a postal transfer from the Council’s offices to a regular contractor based in Cardiff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Databases must only contain information relevant for their purpose and the purpose of transfer. Where possible sensitive personal data should be accessed remotely or hand-delivered. All other post should be adequately tracked and protected. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
Sensitive data was transferred onto the password protected but unencrypted memory stick in breach of council procedure. The memory stick was sent in inadequately protected packaging, and contained records that were excessive for their purpose and out of date.

When
3 December 2009

Links
View PDF of the Department of the Shropshire Council Undertaking (Breach Watch Archive)

Great Yarmouth & Waveney Primary Care Trust

What
Loss of sensitive personal data.

How much
1,000 records.

Why
Two desktop computers were stolen from premises with minimal security.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted and password protected. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The desktop computers were both unencrypted and without password protection. The data held on these computers should have been held on a network server. The premises where the computers were stored had no intruder alarm or security locks.

When
3 November 2009

Links
View PDF of the Great Yarmouth & Waveney Primary Care Trust Undertaking (Breach Watch Archive)

Glouchestershire Primary Care Trust

What
Loss of sensitive personal data.

How much
About 2,270 records.

Why
Six unencrypted desktop computers containing personal data relating to 2,270 patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The computers were password protected but not encrypted. The patient data should have been held on a local server rather than on the hard drives of the stolen computers.

When
15 October 2009

Links
View PDF of the Glouchestershire Primary Care Trust Undertaking (Breach Watch Archive)

Sandwell Metropolitan Borough Council

What
Loss of sensitive personal data.

How much
About four records.

Why
An unencrypted memory stick containing data relating to children in care was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices are encrypted to a suitable standard. Staff must be made aware of the data controller’s policy for the storage and use of personal data and be appropriately trained to follow that policy.

Reason for action
Sensitive data was transferred to the memory stick in breach of Council procedure and was not password protected. The employee intended to use the data to work at home, but lost it during his commute.

When
29 July 2009

Links
View PDF of the Sandwell Metropolitan Borough Council Undertaking (Breach Watch Archive)

Manchester City Council

What
Loss of personal data.

How much
1,754 records.

Why
Two unencrypted laptops were stolen from the internal audit offices in the Town Hall.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to ensure that laptops are safely stored and encrypted. Only personal data absolutely necessary for audit purposes may be downloaded to mobile devices  All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The laptops were not encrypted, password protected, or secured to immovable objects, in breach of a number of the data controllers’s internal policies and procedures, in which all staff had received training.

When
16 June 2009

Links
View PDF of the Manchester City Council Undertaking (Breach Watch Archive)