2gether NHS Foundation Trust

What
Loss of sensitive personal data.

How much
56 records.

Why
Four desktop computers, one laptop and a memory stick  containing sensitive personal data relating to patients were stolen from a locked room in the Trust’s building.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented  All staff must receive adequate data protection training.

Reason for action
The laptop and memory stick were not encrypted, or locked away out of site, contrary to Trust policy.

When
24 March 2009

Links
View PDF of the 2gether NHS Foundation Trust Undertaking (Breach Watch Archive)

Brent Teaching Primary Care Trust

What
Loss of sensitive personal data.

How much
70 records.

Why
Two unencrypted laptops containing sensitive personal data relating to 389 patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data. All such mobile devices must be encrypted, Staff must be adequately trained on the data controller’s information security policies.

Reason for action
The laptops were unencrypted and although the office was locked they were left out on a desk with no further physical security measures taken, contrary to the Trust’s own security policy.

When
19 January 2009

Links
View PDF of the Brent Teaching Primary Care Trust Undertaking (Breach Watch Archive)

Littlewoods Shop Direct Home Shopping Limited

What
Inappropriate processing of personal data.

How much
Unknown.

Why
The ICO received a complaint from a customer of the data controller who complained that they continued processing her personal data for the purpose of direct marketing despite a written notice to the contrary.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the personal details of the data subject are suppressed from all company databases to ensure that she will not receive any further marketing material from the data controller. The data controller must also review procedures currently in place to ensure that customers rights under Section 11 of the Act are upheld.

Reason for action
The data controller was continuing to the process the subject’s data, in violation of her rights.

When
21 May 2007

Links
View PDF of the Littlewoods Shop Direct Home Shopping Limited Undertaking (Breach Watch Archive)

Post Office Limited

What
Loss of personal data

How much
250 records.

Why
Items of personal information were recovered from refuse bins used by the London Road Southampton, Rymans franchise branch of the data controller. The information consisted of 65 Firm E111 applications forms, 158 receipts, 12 travel insurance forms, eight daily passport schedules and a money transfer showing the name of seven customers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that data protection procedures are reviewed and updated where necessary to ensure that the correct procedures are in place for the handling and disposal of personal data. Staff must be sufficiently trained in these procedures.

Reason for action
The data controller had established procedures as evidenced by a declaration form (Form P13), but the breach nevertheless occurred and the ICO received complaints from members of the public.

When
26 February 2007

Links

View PDF of the Post Office Limited Undertaking (Breach Watch Archive)

Alliance and Leicester plc

What
Loss of personal data

How much
Two records.

Why
Items of personal information were recovered from refuse bins used by the Nottingham of the data controller, including a premier current account application form, a life assurance letter and a credit card application form.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff, who are to be reminded of their obligations relating to customer confidentiality.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle. This was in breach of a policy the data controller had in place.

When
15 February 2007

Links
View PDF of the Alliance and Leicester plc Undertaking (Breach Watch Archive)

Barclays Bank plc

What
Loss of personal data

How much
6 records.

Why
A Barclaycard was found cut up into four pieces in a refuse bin outside the Park Gate Branch and four cut up debit/visa cards were found along with a deposit envelop in a refuse bin outside the Bristol branch.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to relevant staff and all third parties and sub-contractors comply with the data controller’s data protection principles.

Reason for action
Policies for secure disposal of confidential waste were insufficient.

When
2 February 2007

Links
View PDF of the Barclays Bank PLC Undertaking (Breach Watch Archive)