Telford & Wrekin Council

Breach details

What Inappropriate disclosure of sensitive personal data.
How much Two records over two incidents.
When 31 March 2011
Why On the first occasion a Social Worker sent a Social Care Core Assessment report to the child’s sibling instead of the mother. A second incident was reported by the Council to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother, in this incident the authority decided to move the children to a different foster carer.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 6 June 2012

Why the regulator acted

Breach of act There was no formal checking process in place to prevent documents being sent to the wrong recipients . Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such cases on a daily basis and were aware of the sensitivity of the data being handled. Two separate incidents occurred in 2 months.
Likely to cause damage or distress Data relating to vulnerable child in foster care.

Central London Community Healthcare NHS Trust

Breach details

What Inappropriate disclosure of sensitive personal data.
How much 59 records.
When 28 March 2011
Why On 45 occasions over a number of weeks inpatient lists were accidentally faxed to a member of the public, when it was believed they were bring faxed to the appropriate number. Procedures were in place to confirm the arrival of faxed lists, however miscommunication meant that only one reception of the lists was being confirmed, while a second fax number actually belonged to a member of the public.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 21 May 2012

Why the regulator acted

Breach of act Inpatient lists faxed to incorrect recipients. Lack of sufficient policies to prevent such an event. Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with impatient data and were aware of its sensitivity, hence having fax protocols.
Likely to cause damage or distress Medical data of patients.

BW Observations

This was the first Monetary Penalty Notice to be appealed to the Information Tribunal. The appeal was heard in December 2012 and the decision released on 15 Jan 2013. The appeal was rejected.

London Borough of Barnet

Breach details

What Loss of sensitive personal information.
How much 15 records.
When 23 April 2011
Why Paper records relating to vulnerable children were stolen from a social worker’s home. Although it was accepted that the paper records needed to be taken home and that there was a policy in place to cover it, it was felt that the policy did not address the risk identified by this security breach.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 15 May 2012

Why the regulator acted

Breach of act Loss of paper records.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitive nature of the data they dealt with and that it was often necessary for paper records to be taken out of the office.
Likely to cause damage or distress Data relating to child exploitation.

Aneurin Bevan Health Board

Breach details

What Loss of sensitive personal data.
How much One records.
When 24 March 2011
Why A secretary accidentally sent a letter containing sensitive personal information to the wrong person. The correct patient’s surname had been spelt two different ways by a doctor and the letter lacked any other identifiers, and the secretary accidently chose the wrong record from the electronic patient record system.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that the checking processes to confirm patient identity prior to issuing correspondence, recommended by an internal investigation, must immediately be adopted across all the data controller’s sites.
When 30 April 2012

Why the regulator acted

Breach of act Letter sent to the wrong recipient. Letters should not be dispatched without being checked by management.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with sensitive data, but management allowed secretaries to simply rely on the electronic system rather than double checking.
Likely to cause damage or distress Medical data.

Leicestershire County Council

What

Loss of sensitive personal data.

How much

18 records.

Why

A briefcase, containing documents to be used for initiating court proceedings, was stolen from a social worker’s house during a burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that existing policies should be amended to include detailed guidance relating to the security of paper documents whilst home working and that staff receive sufficient training and follow these guidelines.

Reason for action

While the social worker had asked for, and received, permission from his manager to take the documents home with him, policies had been put in place to train staff in how to secure documents outside of the office. While the manager had received this training, the social worker had not.

When

17 Apr 2012

Links

View PDF of the Leicestershire County Council Undertaking (Via ICO Website)

View PDF of the Leicestershire County Council Undertaking (Breach Watch Archive)

Hertfordshire County Council

What

Loss of sensitive personal data.

How much

Unknown.

Why

An Attendance and Pupil Support consultation folder was lost in January 2011.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices used to store personal data are sufficiently encrypted. Hard copy documentation must only be removed from council premises when absolutely necessary.

Reason for action

Despite the incident occurring in January 2011, the relevant department within the Council did not share the outcome of their investigation with the Data Protection Team until August 2011. The investigation also revealed that the officer who lost the folder was transporting excessive information.

When

11 Apr 2012

Links

View PDF of the Hertfordshire County Council Undertaking (Via ICO Website)

View PDF of the Hertfordshire County Council Undertaking (Breach Watch Archive)

The Lancaster Constabulary

Breach details

What Loss of sensitive personal data.
How much “Several” records.
When 17 July 2011
Why xxx.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that hard copy documentation contains the minimum amount of personal data necessary and is only taken out of the station when absolutely necessary. A written policy detailing these responsibilities must be produced and staff must be trained in these policies.
When 14 March 2012

Why the regulator acted

Breach of act Report lost and printed in a newspaper. Inappropriate organisational and technical measures.
Known or should have known Policies in place marked such data as highly sensitive, but no policies were in place to cover security outside of the station.
Likely to cause damage or distress Report related to vulnerable children and sex crimes.

Enable Scotland (Leading the Way)

What

Loss of sensitive personal data.

How much

101 records.

Why

Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.

Reason for action

The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.

When

09 March 2012.

Links

View PDF of the Enable Scotland (Leading the Way) Undertaking (Via ICO Website)

View PDF of the Enable Scotland (Leading the Way) Undertaking (Breach Watch Archive)

London Borough of Croydon

What

Loss of sensitive personal data.

How much

Unknown.

Why

A bag belonging to a social worker employed in the Council’s Children and Young Peoples’ Department was stolen from a public house in London. The bag contained a hard copy file of papers concerning a child in the care of the council.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will draft and implement a formal policy covering the storage, physical security, transportation, use and disposal of personal data outside of the office environment. Compliance with this policy must be monitored.

Reason for action

The Information Commissioner concluded that an apparent lack of effective controls and procedures for taking information out of the office was a major contributor to the loss of highly personal data. It was also felt that further staff trained was needed.

When

01 March 2012.

Links

View PDF of the London Borough of Croydon Undertaking (Via ICO Website)

View PDF of the London Borough of Croydon Undertaking (Breachwatch Archive)

Croydon Council

Breach details

What Croydon Council.
How much One record.
When 20 April 2011
Why A social worker’s bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. The data controller did not appear to have provided any information security training to the social worker involved and the onus was on staff to update their own knowledge and read the data controller’s policies in the intranet. No checks were made to ensure that staff had read or understood these police.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 13 Fenruary 2012

Why the regulator acted

Breach of act Loss of papers, which could disrupt an ongoing legal case.
Inappropriate organisational and technical measures.
Known or should have known It was clear staff would need to take sensitive data outside of the office, but there were no policies in place to ensure this was done securely.
Likely to cause damage or distress Information related to an ongoing legal case.