The University of Manchester

What
Loss of sensitive personal data.

How much
About 2,300 records.

Why
A computerised spreadsheet containing the personal data of some 1,755 was published when it was accidently sent as an attachment of an email by a member of the University staff and forwarded to some 469 students..

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. Policies on the transfer, sharing and publication of personal data must me made clear and all staff must receive adequate training in order to fulfil their obligations under such policies.

Reason for action
The data controller did not on this occasion ensure that adequate measures were taken to prevent the inappropriate internal transfer of the information.

When
15 April 2009

Links
View PDF of the University of Manchester Undertaking (Breach Watch Archive)

Central Lancashire Primary Care Trust

What
Loss of sensitive personal data.

How much
6,360 records.

Why
An encrypted memory stick containing data relating to medical treatment was lost by a member of staff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed and that mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the loss of the data in question. The memory stick had a “Post it” sticker adhered to it containing the applicable password for the use of the stick.

When
8 April 2009

Links
View PDF of the Central Lancashire Primary Care Trust Undertaking (Breach Watch Archive)

Hull and East Yorkshire Hospitals NHS Trust

What
Loss of sensitive personal data.

How much
About 2,300 records.

Why
In the first incident an unencrypted desktop PC containing personal data relating to about 300 patients was lost during refurbishment. On the second occasion a disused unencrypted laptop containing personal relating to 2,000 patients from prior to January 2007, was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. Personal data must not be held on any media for any longer than needed. All staff must receive adequate data protection training and be reminded of internal policies regularly.

Reason for action
The data controller did had in place policies and procedures relating to data security and the storage and transfer of equipment and data, which were not followed in either instance.

When
7 April 2009

Links
View PDF of the Hull and East Yorkshire Hospitals NHS Trust Undertaking (Breach Watch Archive)

The British Council

What
Loss of sensitive personal data.

How much
22,000 records.

Why
An unencrypted computer data storage disc containing personal data relating to 2,000 staff, including trade union membership, was lost in transit by a courier service.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed either by the data controller or any third parties. Mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
Although the disc was lost by a third party, the council had failed to ensure that the disc was encrypted to a minimum standard.

When
7 April 2009

Links
View PDF of the British Council Undertaking (Breach Watch Archive)

Cambridge University Hospitals NHS Foundation Trust

What
Loss of sensitive personal data.

How much
741 records.

Why
An unencrypted memory stick containing the personal data of patients was left unattended in a car and found by a car wash attended to was able to access the device and establish its ownership.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed by the Trust. Mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the unauthorised transfer of data onto a non-trust owned, unencrypted memory stick.

When
03 April 2009

Links
View PDF of the Cambridge University Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

Stockport NHS Foundation Trust

What
Loss of sensitive personal data.

How much
1,588 records.

Why
An unencrypted laptop containing sensitive personal data was stolen from a locked hospital room.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented. All such devices must be registered with the IT department. All staff must receive adequate data protection training.

Reason for action
The laptop was password protected but not encrypted. It had not been locked in a cabinet as was usual but was stored in a covered box under the desk. The laptop did not appear to have been registered with the Trust’s IT department.

When
25 March 2009

Links
View PDF of the Stockport NHS Foundation Trust Undertaking (Breach Watch Archive)

2gether NHS Foundation Trust

What
Loss of sensitive personal data.

How much
56 records.

Why
Four desktop computers, one laptop and a memory stick  containing sensitive personal data relating to patients were stolen from a locked room in the Trust’s building.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented  All staff must receive adequate data protection training.

Reason for action
The laptop and memory stick were not encrypted, or locked away out of site, contrary to Trust policy.

When
24 March 2009

Links
View PDF of the 2gether NHS Foundation Trust Undertaking (Breach Watch Archive)

The North West London Hospitals NHS Trust

What
Loss of sensitive personal data.

How much
About 361 records.

Why
Two laptop computers were stolen and in a separate incident, a desktop computer was stolen. In both cases these devices held the personal data of patients.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. All storage devices must be sufficiently encrypted. All staff must receive adequate training in order to fulfil their obligations under such policies.

Reason for action
In both cases the machines were password protected but not encrypted. In the second incident a swipe card security system that controlled entry to the building has been disabled for maintenance.

When
19 March 2009

Links
View PDF of the North West London Hospitals NHS Trust Undertaking (Breach Watch Archive)

Hastings and Rother Primary Care Trust

What
Loss of sensitive personal data.

How much
70 records.

Why
A desktop computer containing health data relating to a number of patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data, whether on the data controller’s premises or those of another organisation. All staff must receive adequate data protection training.

Reason for action
It is believed that the computer was stolen by an opportunistic thief who entered the building via scaffolding that was not normally in place. The data controller did not own this building, but had not taken measures to safeguard the personal data held on the premises.

When
23 January 2009

Links
View PDF of the Hastings and Rother Primary Care Trust Undertaking (Breach Watch Archive)

Brent Teaching Primary Care Trust

What
Loss of sensitive personal data.

How much
70 records.

Why
Two unencrypted laptops containing sensitive personal data relating to 389 patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data. All such mobile devices must be encrypted, Staff must be adequately trained on the data controller’s information security policies.

Reason for action
The laptops were unencrypted and although the office was locked they were left out on a desk with no further physical security measures taken, contrary to the Trust’s own security policy.

When
19 January 2009

Links
View PDF of the Brent Teaching Primary Care Trust Undertaking (Breach Watch Archive)