Cardiff City Council

Breach details

What Failure to meet the requirements of section 7 of the Act.
How much One complaint.
When 21 July 2011
Why The Council failed to respond to a subject access request within the 40 days prescribed period. The Commissioner found that there were systematic failures to meet section 7.

Regulatory action

Regulator Undertaking to comply with the sixth data protection principle
Action ICO
When 28th August 2013.
Details The Council shall immediately set up clearly defined and managed procedures for dealing with subject access requests and provide staff with the appropriate training. This should include measures for the storage of paper records to ensure that subject access requests are responded to promptly and appropriately.

East Riding of Yorkshire Council

Breach details

What Sensitive personal data was inappropriately disclosed.
How much One record and one verbal remark.
When April/May 2012
Why Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle
When 4 April 2013
Details Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary.

The Highland Council

What
Loss of sensitive personal data.

How much
A few records.

Why

Sensitive personal data relating to several members of one family had been inadvertently disclosed, to an unrelated individual. This occurred because several members of both families, who lived in the same small village, submitted subject access requests to the data controller at roughly the same date.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that a full briefing of subject access requests is provided to covering officers and a formal log of all requests is kept and made easily accessible.

Reason for action

The officer who usually dealt with such requests went on leave before full responses had been sent, and enquiries revealed that the covering officer had not been made aware that more than one request was outstanding from someone in the village. When information relating to one family was provided the covering officer assumed it was related to the other family, to whom he had earlier sent some documents left for him by his absent colleague.

When
17 March 2010

Links
View PDF of the Highland Council Undertaking (Breach Watch Archive)

Staffordshire County Council

What
Breach of the Data Protection Act

How much
Unknown.

Why
The data controller failed to respond to an individual’s subject access request in the prescribed period of 40 days.

Regulator
ICO

Regulatory action
Enforcement Notice issued, requiring the data controller to supply the individual with a copy of a document within 35 days of the Notice being issued.

Reason for action
The data controller failed to inform the individual, without undue delay, whether personal data relating to him was being processed by it or on its behalf.

When
7 February 2012

Links
View PDF of the Staffordshire County Council Enforcement Notice (Via ICO Website)

View PDF of the Staffordshire County Council Enforcement Notice (Breach Watch Archive)

Royal Cornwall Hospitals NHS Trust.

What

Inappropriate disclosure of personal information on two separate occasions.

How much

Two records.

Why

The information was sent out in response to a third party Subject Access Request, inappropriately.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made familiar with procedures and policies relating to Subject Access Requests.

Reason for action

Insufficient training combined with a large volume of subject access requests lead to the error.

When

04 April 2011.

Links

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Breach Watch Archive)

The Northern Ireland Office

What
Inappropriate processing of personal data

How much
Unknown.

Why
The data controller failed to respond to a subject access request made by the data subject relating to the processing of personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all subject access requests received by the data controller are dealt with in compliance with the provisions contained within Section 7 of the Data Protection Act. Adequate and relevant training is provided to all employees who are engaged in the process of dealing with subject access requests.

Reason for action
The ICO had received a complaint about the data controller’s failure to respond to a subject access request.

When
9 July 2007

Links
View PDF of the Northern Ireland Office Undertaking (Breach Watch Archive)