Post Office Limited

What
Loss of personal data

How much
250 records.

Why
Items of personal information were recovered from refuse bins used by the London Road Southampton, Rymans franchise branch of the data controller. The information consisted of 65 Firm E111 applications forms, 158 receipts, 12 travel insurance forms, eight daily passport schedules and a money transfer showing the name of seven customers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that data protection procedures are reviewed and updated where necessary to ensure that the correct procedures are in place for the handling and disposal of personal data. Staff must be sufficiently trained in these procedures.

Reason for action
The data controller had established procedures as evidenced by a declaration form (Form P13), but the breach nevertheless occurred and the ICO received complaints from members of the public.

When
26 February 2007

Links

View PDF of the Post Office Limited Undertaking (Breach Watch Archive)

The Royal Bank of Scotland plc

What
Loss of personal data

How much
23 records.

Why
Items of personal data were recovered from refuse bins outside branches in Fareham, Manchester, Nottingham and Glasgow, including documents relating to individual accounts and application forms, a private banking form and a photocopy of a customer’s provisional driving license.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to all relevant staff.

Reason for action
The ICO had received complaints about the data controller’s breach of the Seventh Data Protection Principle.

When
23 February 2007

Links

View PDF of the Royal Bank of Scotland plc Undertaking (Breach Watch Archive)

National Westgate Bank plc

What
Loss of personal data

How much
8 records.

Why
Items of personal data were recovered from refuse bins outside branches in Manchester and Southampton, including fax copies of insurance forms, two cut up debit cards and a list of a customers standing orders and direct debits.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of personal data and that appropriate data protection training is given to all relevant employees.

Reason for action
The ICO had received complaints about Westgate Bank’s failure to adhere to the Seventh Data Protection Principle.

When
23 February 2007

Links
View PDF of the National Westgate Bank plc Undertaking (Breach Watch Archive)

HFC Bank Limited

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the Newport Branch of the data controller, including a customer’s loan application form, a collections history printout and other miscellaneous papers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff and they are to be required to complete an online refresher course and test on a regular basis of at least once every two years.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
21 February 2007

Links
View PDF of the HFC Bank Limited Undertaking (Breach Watch Archive)

Nationwide Building Society

What
Loss of personal data

How much
Two records.

Why
Items of personal information were recovered from refuse bins used by the Oldham of Nationwide, including a personal financial review in respect of two individuals and a customer information document.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. A review program to monitor compliance must be devised and implemented by Nationwide. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
20 February 2007

Links
View PDF of the Nationwide Building Society Undertaking (Breach Watch Archive)

Alliance and Leicester plc

What
Loss of personal data

How much
Two records.

Why
Items of personal information were recovered from refuse bins used by the Nottingham of the data controller, including a premier current account application form, a life assurance letter and a credit card application form.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff, who are to be reminded of their obligations relating to customer confidentiality.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle. This was in breach of a policy the data controller had in place.

When
15 February 2007

Links
View PDF of the Alliance and Leicester plc Undertaking (Breach Watch Archive)

The Co-operative Bank plc

What
Loss of personal data

How much
Three records.

Why
Items of personal information were recovered from refuse bins used by the Watford of the data controller, including letter from a customer and a motor insurance quote.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies and procedures relating to the disposal of waste containing personal information are updated and strictly adhered. Adequate and relevant data protection training must be given to all staff, including any sub-contractors.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
14 February 2007

Links
View PDF of the Co-operative Bank plc Undertaking (Breach Watch Archive)

United National Bank Limited

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the Manchester branch of the data controller, including a copy of a fax showing business and personal account details, a remittance form, a copy of an internal email and other miscellaneous paperwork.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
13 February 2007

Links
View PDF of the United National Bank Limited Undertaking (Breach Watch Archive)

Immigration Advisory Service

What
Loss of personal data

How much
A number of records.

Why
Items of personal information relating to a case before the Asylum and Immigration Tribunal were recovered from refuse bins used by the Birmingham office the data controller.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff. A review of the processing of personal information is to undertaken to ensure that it is carried out in line with the data protection principles.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
9 February 2007

Links
View PDF of the Immigration Advisory Service Undertaking (Breach Watch Archive)

Scarborough Building Society

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the York branch of the data controller, including a customer’s mortgage application form and copies of supporting bank statements, customer account details, standing order details and other miscellaneous paperwork.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. All paper waste generating in branches must be treated as confidential and be shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
9 February 2007

Links
View PDF of the Scarborough Building Society (Breach Watch Archive)