Royal Cornwall Hospitals NHS Trust.

What

Inappropriate disclosure of personal information on two separate occasions.

How much

Two records.

Why

The information was sent out in response to a third party Subject Access Request, inappropriately.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made familiar with procedures and policies relating to Subject Access Requests.

Reason for action

Insufficient training combined with a large volume of subject access requests lead to the error.

When

04 April 2011.

Links

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Cornwall Hospitals NHS Trust Undertaking (Breach Watch Archive)

Warrington and Halton Hospitals NHS Trust

What

Loss of sensitive data.

How much

110 records

Why

Theft of an unencrypted laptop from premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the encryption of portable media devices are checked and upheld.

Reason for action

Despite the data controller having a policy in place to ensure that all such devices were encrypted, this laptop had not been, nor had it been identified as a security risk, despite having no other form of protection.

When

01 April 2011.

Links

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Warrington and Halton Hospitals NHS Trust Undertaking (Breach Watch Archive)

Wolverhampton City Council

What

Loss of sensitive personal data.

How much

Unknown.

Why

Personal data belonged to the data controller was dumped in a skip, which was later stolen.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the data controller’s policy on the disposal of confidential waste

Reason for action

The data should never have been disposed of in a skip. The data controller had a written contract with a third party for the disposal of confidential waste, but on this occasion there was confusion as to the confidential nature of the waste.

When

15 March 2011.

Links

View PDF of the Wolverhampton City Council Undertaking (Via ICO Website)

View PDF of the Wolverhampton City Council Undertaking (Breach Watch Archive)

Doncaster Metropolitan Borough Council

What

Inappropriate disclosure of personal information.

How much

39 records.

Why

A document containing personal details was provided during court proceedings to the defendant without the appropriate redactions in place.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that procedures for dealing with subject access requests are clearly defined, managed, and checked.

Reason for action

This was the second time such an event had occurred.

When

25 February 2011.

Links

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Doncaster Metropolitan Borough Council Undertaking (Breach Watch Archive)

Aramark Ltd.

What

Loss of personal information.

How much

109 records.

Why

Paperwork and an unencrypted laptop were stolen in-transit.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and are only taken off site when absolutely necessary.

Reason for action

Although the laptop was password protected, this was insufficient security, given the sensitive nature of the data it contained

When

24 February 2011.

Links

View PDF of the Aramark Ltd. Undertaking (Via ICO Website)

View PDF of the Aramark Ltd. Undertaking (Breach Watch Archive)

Cambridgeshire County Council

What

Loss of sensitive personal information.

How much

A minimum of six records.

Why

An unencrypted memory stick containing the records was lost by a member of staff.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made fully aware policies related to the encryption of portable media devices.

Reason for action

Employees were issued with encrypted memory sticks, but following a technical difficulty with the encryption function the employee used an unencrypted and unauthorised device.

When

23 February 2011.

Links

View PDF of the Cambridgeshire County Council Undertaking (Via ICO Website)

View PDF of the Cambridgeshire County Council Undertaking (Breach Watch Archive)

Gwent Police

What

Loss of sensitive personal information.

How much

863 records.

Why

An email containing a spreadsheet intended for 5 police colleagues was accidently forwarded to a website journalist.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that technological measures are introduced and maintained to prevent accidental auto completing of email addresses and similar errors.

Reason for action

The auto-complete function of the email suggested the email address of the journalist and this error was not corrected. Moreover the member of staff was found to have previously displayed a “cavalier” attitude to IT security policies.

When

11 February 2011.

Links

View PDF of the Gwent Police Undertaking (Via ICO Website)

View PDF of the Gwent Police Undertaking (Breach Watch Archive)

Ealing Council

Breach details

What Loss of sensitive personal information.
How much 958 records.
When 2010
Why Theft of two unencrypted laptops (one work-issued, one personal) from a staff member’s home. The employee had been involved in a breach before, but no remedial action was taken. No home working risk assessment undertaken (although this was in policy).

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 08 February 2011

Why the regulator acted

Breach of act Unencrypted tapes were stolen, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known Data controller was aware of the possible consequences of the such an event, since policies were in place requiring home assessment and encryption of laptops. Both these policies were breached.
Likely to cause damage or distress Personal data of clients.

Hertfordshire County Council

Breach details

What Loss of highly sensitive personal information by fax.
How much 47 records.
When 11 June 2010
Why Two faxes were sent to the wrong recipients.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 22 November 2010

Why the regulator acted

Breach of act Faxes sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known The ICOs advice on faxing protocols after the first incident were ignored, but the risk had been made clear.
Likely to cause damage or distress Data relating to vulnerable children.

Stoke-on-Trent City Council

What

Loss of sensitive personal information.

How much

40 records.

Why

An unencrypted memory stick containing social service records for 40 children was found by a member of the public. The memory stick was not password protected either.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

Although there was a legitimate reason for the data to be on a memory stick the one used was not an approved encrypted device.

When

22 November 2010

Links

View PDF of the Stoke-on-Trent City Council Undertaking (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Undertaking (Breach Watch Archive)