Kent Police

Breach details

What Highly sensitive and confidential information, including copies of police interview tapes, were left in the basement of a former police station, which had been sold in September 2012. This was discovered after a police officer visited some business premises on an entirely separate matter, and noticed a box of videotapes with the logo and name of Kent Police. The owner confirmed that he had found the videotapes and was intending to view the contents of the videotapes as a possible source of entertainment
How much Numerous records dating as far back as the late 1980s.
When 28 November 2012.
Why In the absence of any specific policies or procedures, it was unclear who was ultimately responsible for ensuring that the former police station was vacant at the point of sale. This lack of documented procedures was made worse by a failures in communication between the different departments involved in the extended process of decommissioning the building.

Regulatory action

Regulator ICO
Action Monetary penalty of £100,000
When 19 March 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Kent Police failed to take appropriate organisational measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as having specific procedures in place to ensure that the basement of the former police station had been cleared of all items before it was sold to a buyer.
Known or should have known  The data controller was used to dealing with such information and had taken some steps to safeguard the information by carrying out inspections of the former police station, even though the steps taken proved to be inadequate.
Likely to cause damage or distress The failure to take appropriate organisational measures was likely to cause substantial distress to the data subjects even if this is simply by knowing that their confidential and sensitive personal data could have been accessed by the buyer who had no right to see that information. Furthermore there was a risk that the  data may be further disseminated, such as to the media, or used for other purposes by the buyer, with the potential to cause substantial damage to witnesses and informants, such as by putting them at risk of physical harm.

Department of Justice Northern Ireland

Breach details

What A locked filing cabinet containing sensitive personal data relating to claims arising from terrorist incidents in Northern Ireland was sold at auction.
How much Not specified – four-drawer filing cabinet.
When 12 May 2012
Why In the course of an office move the filing cabinet was sent to auction for disposal. Despite it being locked (and the weight of the cabinet must have indicated that it wasn’t empty) the Data Controller simply ignored the fact that there may have been personal data in the filing cabinet and set it to auction. When the purchaser of the cabinet forced the lock they realised the sensitivity of the information and called the police to take the information away.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 185,000.
When 14 Jan 2014.

Why the regulator acted

Breach of act Breach of the seventh data protection principle. The Commissioner argued that the Data Controller should have had “detailed procedures in place for the removal of cupboards, pedestals and filing cabinets etc. from one office location to another”.
Known or should have known Given the sensitive political nature of the contents of the cabinet, and the fact that the cabinet was kept locked, the Data Controller should have known that the unauthorised release of the information was likely to case “substantial distress”.
Likely to cause damage or distress The Commissioner states that substantial distress was not actually caused in this case, but argues that had the buyer of the cabinet not contacted the police to remove the data, substantial distress would have occurred.

Hillingdon Hospitals NHS Foundation Trust

Breach details

What Cancer referral forms containing sensitive clinical data found in the possession of a local newspaper.
How much Four records.
When Reported on 05 July 2012.
Why The cancer referral forms were prepared for transfer between The Hillingdon Hospital and Mount Vernon Hospital but failed to arrive through the internal mail system. Staff were aware the documents had not arrived but did not escalate the incident. It is unclear at what point the documents left the possession of the Trust and how they were acquired by the newspaper.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 07 October 2013.
Details The Trust is to implement breach reporting mechanisms and manage an escalation process if personal data does not arrive at its destination. Staff are to be made aware of all procedures and requirements.

Cardiff and Vale University Health Board

Breach details

What Loss of a bag containing sensitive personal data including a mental health act tribunal report, a solicitor’s letter, and five CV’s.
How much Documents relating to at least seven individuals.
When 26 November 2012.
Why A consultant psychiatrist lost their bag containing these documents when cycling home from the office. The documents were necessary for the consultant to work outside of the office environment, but although other more secure means of transporting the data or remote server access were available they were not communicated clearly to staff. The individual also did not receive induction training (including on data protection) until after the incident had occurred.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 04 October 2013.
Details The Health Board is to immediately implement a security policy concerning the removal and security of data off site and provide training to all staff in how to follow it, as well as mandatory training on data protection. Assessments are also to be made on the suitability of an individual working from home and appropriate arrangements made. Finally, a protective marking scheme is to be introduced.

Luton Borough Council

Breach details

What Personal data including information on the health and ethnicity of the data subjects.
How much Two cases.
When December 2012 and January 2013.
Why Two separate incidents involved incorrect handling of personal data by social work staff. In the first case an email containing personal information about a family was sent across an unsecured internet connection and also sent to an agency unconnected to the family. In the second case papers were lost in an accident when a member of staff took them home when leaving work early due to severe weather.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 11 September 2013.
Details Staff are to be trained in how to follow the Council’s procedures for the storage and use of personal data by 30 November 2013. Training is also required before staff are granted access to the Council’s sytems and should be refreshed within two years. In addition to training new procedures covering such issues as the transporting of personal data outside of the office must be drafted by 30 November.

Local Government Ombudsman (the LGO)

Breach details

What A bag containing an encrypted portable media device and hard copy papers relating to planning application complaints. This included sensitive personal information relating to one of the complainant’s physical or mental health.
How much 8 complaints.
When Unknown.
Why A bag containing sensitive personal information was stolen from one of Ombudsman’s investigators at a public house. There was a specific reason for the papers to be taken out of the office and a policy on security on information while in transport existed, but staff were unaware of the policies due to a lack of training.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 22 August 2013
Details The company shall provide mandatory annual training to all staff whose role includes the routine processing of personal information. The company shall also ensure that all staff are aware of its policies relating to personal information and are updated of any changes to these policies.

East Riding of Yorkshire Council

Breach details

What Sensitive personal data was inappropriately disclosed.
How much One record and one verbal remark.
When April/May 2012
Why Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 4 April 2013
Details Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary.

Isle of Anglesey County Council

Breach details

What Loss of personal data and in one case loss of sensitive personal data.
How much Unknown
When Several incidents in early 2012
Why Documents containing personal data were inappropriately disclosed or disposed of, or put at risk of unauthorised access. The council had an out of date data protection policy, and provided insufficient data protection training.

BW Comments

The undertaking is very vague, and doesn’t provide specific details of what happened to cause the data losses, or why.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 20 December 2012
Details The data conroller is to ensure that all policies and procedures are up to date and in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

BW Observations

It is almost as if the council, as part of its self-reporting, suggested the necessary remedial action.

Leeds City Council

Breach details

What Loss of sensitive personal data (child protection).
How much Personal data relating to 4 data subjects.
When 28 July 2011
Why A support assistant, following council policy and re-using an old envelope for internal mail, failed to cross out the original address and later mistakenly put the envelope in the external post tray. As a result, the document was received by an unauthorised individual.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 95,000
When 16 November 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, for example using different styles of envelope for internal and external mail, having a peer checking process and providing appropriate training.
Known or should have known The ICO was satisfied that the Council should have known that that there was a risk that the contravention would occur and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress The contravention was likely to cause substantial distress to at least one of the data subjects, a vulnerable young person, due to the nature of the data involved.

Devon County Council

Breach details

What Loss of sensitive personal data
How much Personal data relating to approximately 22 data subjects.
When 12 May 2011
Why A social worker prepared an adoption panel report using another family’s report as template. The service users forgot to take the report with them after a meeting and requested it be posted. The report used as a template was posted by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 10 December 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, such as having a peer checking process for envelopes containing confidential and sensitive personal data and providing appropriate staff training.
Known or should have known Staff working in the People Services department were used to dealing with such cases and the data controller would have been aware of the confidential and sensitive nature of the personal data they were dealing with on a daily basis.
Likely to cause damage or distress The data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may have been further disseminated and possibly misused, even if those concerns do not actually materialise. Many of the affected individuals were considered to be vulnerable.