Norfolk Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One records.
When April 2011
Why A social worker in the Data Controller’s Children’s Service’s department intended to deliver a copy of a report on a conference to a child’s father, but accidently wrote the wrong address on an envelope and placed it through the door of the father’s neighbour. Although a policy was in place to provide guidance about sending personal data by post it was possible that the social worker was unaware of this as she had only been working in the department for 9 months and had not completed the mandatory e-training course on data protection. No process was in place to monitor trainin.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 13 February 2012

Why the regulator acted

Breach of act Even had policy been followed there was nothing to prevent the incorrect delivery of the wrongly addressed letter.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such self-evidently sensitive information, but no policies were in place to prevent a breach.
Likely to cause damage or distress Data related to the physical and emotional well-being of a child.

Turning Point

What

Loss of personal data.

How much

Three records.

Why

Three service user’s files were lost following the relocation of premises. It is believed that that the files were unintentionally destroyed in confidential waste.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any policies introduced in relation to the storage, movement and use of personal data are implemented and communicated in all Turning Point offices.

Reason for action

Inquiries revealed that this was the second incident of the same nature within a year and despite implementing a number of safeguards during this relocation, there was no formal written policy in place to cover the relocation of files containing personal data.

When

10 February 2012.

Links

View PDF of the Turning Point Undertaking (Via ICO Website)

View PDF of the Turning Point Undertaking (Breach Watch Archive)

Bolton Council

What

Loss of sensitive personal data.

How much

“Several”

Why

A rucksack contained hard copy documentation relating to several individuals was stolen from a keyworker’s car. A second incident was also reported during when an email was sent in error to several hundred people containing a full occupational health form for one player.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that hard copy documentation is only removed from the office or secure storage when absolutely necessary and must contain the minimum amount of personal data required. Thorough risk assessments are to be completed for all mobile working arrangements.

Reason for action

  • In the case of the first incident it was discovered that the carrying significantly more paperwork than necessary without the knowledge of management. Investigations revealed that despite the fact that many employees are predominantly mobile workers the implications of how to handle data in a mobile environment had been insufficiently considered. Employees had however received appropriate training relating to the removal of personal data from the office.
  • In the second incident it transpired that autofill is often used when sending emails and that existing email groups do not differentiate between internal and external addresses.

When

10 February 2012.

Links

View PDF of the Bolton Council Undertaking (Via ICO Website)

View PDF of the Bolton Council Undertaking (Breach Watch Archive)

Basingstoke and Deane Borough Council

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)

E*Trade Securities Ltd.

What

Loss of sensitive personal data.

How much

608 records.

Why

Files containing personal data relating to clients in the Middle East were identified as missing from storage in the UK having been couriered from ETSL-Dubai.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any processing of personal data carried out by a data processor on behalf of the data controller is carried out under a contract made and evidenced in writing and that a detailed record of all personal data couriered internally is kept.

Reason for action

The investigation revealed that the data controller had no contractual agreement “made and evidenced in writing” with their UK data processor, nor had instructions on the security and processing of this personal data provided.

When

03 February 2012.

Links

View PDF of the E*Trade Securities Ltd. Undertaking (Via ICO Website)

View PDF of the E*Trade Securities Ltd. Undertaking (Breach Watch Archive)

Midlothian Council

Breach details

What Inappropriate disclosure of sensitive personal data on five separate occasions.
How much Five records.
When March 2011
Why Personal data relating to children and their carer were sent to the wrong recipients on five separate occasions.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 140,000
When 30 01 2012

Why the regulator acted

Breach of act Multiple letters were sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the first breach the risk was clear, yet 4 more breaches occurred over the next month.
Likely to cause damage or distress Personal information of vulnerable individuals.

Powys County Council

Breach details

What Disclosure of sensitive personal information.
How much 19 records.
When 4 February 2011
Why A member of the public received a children protection report on an unrelated child along with a document concerning her own child due to an employee of the data controller accidentally mixed in another colleague’s work when collecting printing from a shared printer. Although the Data Controller had said that they considered Data Protection training vital they had not made the completion of such training mandatory. This was the second of such incidents.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 130,000
Enforcement Notice Issued to ensure that by 31 March 2012 all staff with access to personal data must undergo full data protection training and that an accurate record must be kept of this training
When 6 December 2011

Why the regulator acted

Breach of act Data sent to an incorrect recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the previous breach the risk was clear, but insufficient measures were taken to prevent this second breach.
Likely to cause damage or distress Data related to a child and has the potential for misuse.

London Borough of Southwark

What

Loss of sensitive personal data.

How much

7,200 records.

Why

An unencrypted iMac and paper records were found by a member of the public in a skip being used to cleanse a decommissioned and vacant property that had previously been part of a complex previously owned by the data controller.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will demonstrate adherence to the action plans to deal with the issue that it has presented to the data commissioner and that it will honour its invitation for the ICO to conduct a data protection audit.

Reason for action

Although the Data Controller demonstrated plans to deal with the breach, the iMac had been missing since 2003 and was unencrypted and any member of the public would have been able to remove the data contained on it.

When

21 November 2011.

Links

View PDF of the London Borough of Southwark Undertaking (Via ICO Website)

View PDF of the London Borough of Southwark Undertaking (Breach Watch Archive)

Oliver Letwin, MP

What

Loss of sensitive personal data.

How much

“Numerous”

Why

The data controller was disposing of documents in public waste bins in St James’ Park.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any documents containing personal data must be disposed in a secure manner, such as shredding, pulping or incineration.

Reason for action

Some of the documents disposed of in the public waste bins included personal information such as names and addresses.

When

15 November 2011.

Links

View PDF of the Oliver Letwin MP Undertaking (Via ICO Website)

View PDF of the Oliver Letwin MP Undertaking (Breach Watch Archive)

University Hospitals Coventry & Warwickshire NHS Trust

What

Loss of sensitive personal data on two occasions.

How much

One record and 18 records.

Why

A patient’s medical record was allegedly found in a waste bin outside Coventry’s University Hospital by a member of the public. Two months previously the records of 18 patients were found in a public waste bin in a residential apartment block.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the storage, use, disposure and removal from the premises of personal information are made clear to staff and that compliance is monitored.

Reason for action

The short time between the two incidents suggested that insufficient measures were being taken to safeguard personal data.

When

27 October 2011.

Links

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Via ICO Website)

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Breach Watch Archive)