Hampshire Partnership NHS Trust

What
Loss of personal data.

How much
1,161 records.

Why
1,161 Trust payslips containing employee personal data were lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the transporting of all personal data should be risk assessed, and where appropriate, tracked. A review of all internal post procedures should be conducted for security purposes. All staff must receive adequate data protection training.

Reason for action
It could not be explained where or how the payslips had gone missing.

When
19 December 2008

Links
View PDF of the Hampshire Partnership NHS Trust Undertaking (Breach Watch Archive)

Virgin Media Limited

What
Loss of personal data.

How much
3,383 records.

Why
An unencrypted compact disc containing the personal data of 3,383 customers passed on to the data controller by Carphone Warhouse was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that media devices used to transport and store personal data are encrypted and that any contracts between the data controller and any data processors require this.

Reason for action
The lost CD was unencrypted and the arrangement between the data controller and data processor was insufficient.

When
17 September 2008

Links
View PDF of the Virgin Media Limited Undertaking (Breach Watch Archive)

Skipton Financial Services Limited

What
Inappropriate processing of personal data

How much
Unknown.

Why
An unencrypted laptop computer was stolen from Moore Stephens Consulting, who had been engaged to provide professional consultancy services to SFS in relationship to a software development project.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that sensitive personal data must be encrypted. Risk assessments must be carried out to confirm the adequacy and effectiveness of technical and organisational security measures, including those taken by third parties.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
18 February 2008

Links
View PDF of the Skipton Financial Services Limited Undertaking (Breach Watch Archive)

Southampton City Primary Care Trust

What
Loss of personal data.

How much
168 records.

Why
168 Trust payslips containing employee personal data were lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the transporting of all personal data should be risk assessed, and where appropriate, tracked. A review of all internal post procedures should be conducted for security purposes. All staff must receive adequate data protection training.

Reason for action
It could not be explained where or how the payslips had gone missing.

When
13 January 2008

Links
View PDF of the Southampton City Primary Care Trust Undertaking (Breach Watch Archive)

The Department of Health

What
Inappropriate processing of personal data

How much
Unknown.

Why
The personal details of junior doctors held on the Medical Training Application Service (MTAS) website was readily accessible to any person accessing the website.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that sensitive personal data held on the website must be encrypted. Instructions and advice as to the use of passwords and PIN numbers be given to the data controller to those entitled to access the site. Staff will be given appropriate training and regular penetration and vulnerability testing of developing applications and systems to minimise unauthorised access.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
4 December 2007

Links
View PDF of the Department of Health Undertaking (Breach Watch Archive)

The Foreign and Commonwealth Office

What
Loss of personal data

How much
Unknown.

Why
The ICO was informed by Ukvisas that there had been a breach of security in the VFS online visa application facility. The security breach resulted in the personal data of persons applying for visas to enter being viewable by others.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the VFS on-line application websites will not be re-opened and will be replaced by visa4UK. A strategic review of data processing will be undertaken by UKvisas in order to strengthen Data Protection Act risk management processes and a detailed audit carried out of the data processor’s data security procedures. The website will be regularly monitored and adequate and relevant data protection will be given to all UKvisas staff on an ongoing basis.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
19 October 2007

Links
View PDF of the Foreign and Commonwealth Office Undertaking (Breach Watch Archive)

The Northern Ireland Office

What
Inappropriate processing of personal data

How much
Unknown.

Why
The data controller failed to respond to a subject access request made by the data subject relating to the processing of personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all subject access requests received by the data controller are dealt with in compliance with the provisions contained within Section 7 of the Data Protection Act. Adequate and relevant training is provided to all employees who are engaged in the process of dealing with subject access requests.

Reason for action
The ICO had received a complaint about the data controller’s failure to respond to a subject access request.

When
9 July 2007

Links
View PDF of the Northern Ireland Office Undertaking (Breach Watch Archive)

Orange Personal Communications Services Limited

What
Loss of personal data

How much
A number of records.

Why
Members of staff who had recently commenced working for the company were allowed to share user names and passwords to access company computer systems holding the personal data of Orange customers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the sharing of user names and passwords by Customer Service Representatives, to access computer systems, shall not be allowed under any circumstances.

Reason for action
The ICO had received a complaint about the sharing of user names and passwords by Customer Service Representatives.

When
23 May 2007

Links
View PDF of the Orange Personal Communications Services Limited Undertaking (Breach Watch Archive)

Phones 4U Ltd

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from a refuse bin outside the Phones 4U premises in Market Way, Coventry, and Regent Street, Swindon. The information included documentation showing customer names and addresses, and bank account details.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all paper waste generated is to be treated as confidential and shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
17 May 2007

Links
View PDF of the Phones 4U Ltd Undertaking (Breach Watch Archive)

Dipesh Limited (Trading as Cash Generator)

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from a refuse bin outside the Cash Generator premises in Bridge Street, Nuneaton, including correspondence showing customer names and addresses.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all paper waste generated is to be treated as confidential and shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
23 April 2007

Links
View PDF of the Dipesh Limited (Trading as Cash Generator) Undertaking (Breach Watch Archive)