Tag Archives: Physical Records

Scottish Court Service

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Court documents were discovered at a recycling centre, inappropriately disposed of.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

The papers had been given to a law reporter, but no checks had been made regarding the security of his procedures prior to sharing the data.

When

05 January 2011

Links

View PDF of the Scottish Court Service Undertaking (Via ICO Website)

View PDF of the Scottish Court Service Undertaking (Breach Watch Archive)

DSG Retail

Posted on by

What

Loss of personal information.

How much

Over 100 records.

Why

Paperwork related to credit agreements was found in a skip near the premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will review its security measures and implement any necessarily security and monitoring measures.

Reason for action

The documents related to transactions two years prior and had been retained beyond the period specified in the data controller’s procedures. The normal procedure for disposing such documents (sending them to a central facility for secure shredding) had not been followed.

When

25 August 2010

Links

View PDF of the DSG Retail Undertaking (Via ICO Website)

View PDF of the DSG Retail Undertaking (Breachwatch Archive)

Buckinghamshire County Council

Posted on by

What
Loss of sensitive personal information.

How much
Two records.

Why
Loss of documents containing sensitive personal data included in a plastic wallet with flight and accommodation details given to a social work employee flying to another UK city.
Regulator
ICO

Regulatory action
Undertaking issued to ensure that a proper risk assessment is carried out prior to the removal from the office environment of documents containing sensitive personal data and that they are sufficiently secure in transit.

Reason for action
It was felt that the implications of including the case documents with the travel documents during the journey had been insufficiently considered.

When
8 July 2010

Links

Kent Police

Posted on by

What
Loss of personal data.

How much
Unknown.

Why
Theft of documents containing personal information from a police officer’s car while it was parked overnight.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies covering the transportation of data are made clear and are regulated. Where necessary staff must be given secure transportation and storage facilities for data outside of the office

Reason for action
The officer had not used his secure briefcase to transport the papers, nor had he been provided with a secure storage facility at his home in breach of the data controller’s policy

When
18 June 2010

Links
View PDF of the Kent Police Undertaking (Via ICO Website)

View PDF of the Kent Police Undertaking (Breach Watch Archive)

NHS Stoke-on-Trent

Posted on by

What

Possible loss of sensitive personal data.

How much

2,000 records

Why

Following a request for information about a patient’s medical records it was discovered that the physical paper records were not within the storage system, later enquiries revealed that about 2,000 records had not been stored

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate physical security for physical records is provided.

Reason for action

It is believed that the records may have been accidently destroyed or misfiled. Insufficient physical security and tracking was maintained.

When

11 May 2010

Links

View PDF of the NHS Stoke-on-Trent Undertaking (Via ICO Website)

View PDF of the NHS Stoke-on-Trent Undertaking (Breach Watch Archive)

NCL (Bahamas) Ltd

Posted on by

What
Loss of personal data.

How much
80 records.

Why
A computer printout containing payroll information relating to the data controller’s UK employees was believed to have been stolen during an office move.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are at all times adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data. Adequate provision must be made for the secure transfer of personal data and procedures for this must be communicated to all staff, including removal contractors, in advance of any future office move or reorganisation.

Reason for action
The records were believed to have been stolen and were not suitably secure.

When
26 April 2010

Links
View PDF of the NCL (Bahamas) Ltd Undertaking (Breach Watch Archive)

Lancashire County Council

Posted on by

What
Loss of sensitive personal data.

How much
Approximately 33,000 records.

Why
Documents containing a considerable amount of personal data were found in filing cabinet purchased second hand.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that a formal written procedure is produced and implemented to ensure that any office furniture or equipment that is to be moved or disposed of is properly checked for personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The records were duplicates of documents held in the data controller’s office and contained extensive personal data. Enquiries revealed that the data controller had no formal written policy to ensure and document that cabinets or drawers were empty of personal data prior to disposal or removal.

When
11 January 2010

Links
View PDF of the Lancashire County Council Undertaking (Breach Watch Archive)

Bellgrange Mortgages & Insurance Services Ltd

Posted on by

What
Loss of sensitive personal data.

How much
A number of records.

Why
Paper documents containing client details were inappropriately disposed of in waste bins intended for the use of local residents.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that physical security measures are adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The documents were left in the waste bins overnight prior to their collection by the waste disposal contractor. Following their discovery the documents were either returned to Bellgrange or destroyed.

When
9 December 2009

Links
View PDF of the Bellgrange Mortgages & Insurance Services Ltd Undertaking (Breach Watch Archive)

Orbit Heart of England Housing Association

Posted on by

What
Loss of sensitive personal data.

How much
1,000 records.

Why
57 paper files went missing at the time of an office move, although 42 of them had been recovered intact.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all staff are made aware of and, trained to follow, the data controller’s new procedures with regards to office moves.

Reason for action
Investigations revealed that no inventory of files had been made prior to the move, so staff were initially uncertain as to how many files should have been received at the new office and that many of the files had not be unpacked after 6 months.

When
30 November 2009

Links
View PDF of the Orbit Heart of England Housing Association Undertaking (Breach Watch Archive)

NHS Grampian

Posted on by

What
Loss of sensitive personal data.

How much
About 1,700 records.

Why
Three separate incidents.

  • The inappropriate distribution of an email containing sensitive personal data relating to an individual.
  • Documents containing personal data of around 200 patients and staff were taken from a confidential waste bag.
  • An unencrypted laptop containing the personal data of over 1500 patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transport personal data are suitably encrypted. Any personal data stored on portable devices must be backed up to the network server on a daily basis. Confirmation of success is to be obtained from the IT department and any failure corrected without delay. All staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.

Reason for action

  • A senior nursing manager distributing an email from another senior manager to over 50 other staff without first consulting either the sender of the data controller’s Information Governance Manager.
  • Documents were removed from a confidential waste bag held at a nursing station on the labour ward and sent to the data controller’s Chief Executive, claiming they’d been found in a skip. Investigations revealed that access to this waste could have been gained by staff, patients and even visitors. Many staff were unaware of the correct policies for disposing of sensitive waste.
  • An unencrypted laptop containing the entire database of patients suffering from a particular disease was stolen from a locked office. The laptop had not been successfully backed up to the data controller’s network server in the month prior to the theft, meaning that a small amount of this data was only stored on the laptop.
  • Finally the enquiries into these incidents revealed that certain staff were using home computers for work-related tasks involving personal data and then transferring that work via unencrypted USB sticks, in breach of the data controller’s policies and procedures.

When
3 September 2009

Links
View PDF of the NHS Grampian Undertaking (Breach Watch Archive)