Mansfield District Council

Posted on 25 January 2013 by BreachMaster

Breach details

What	Personal data of housing benefit claimants was disclosed to the wrong housing association.
How much	An undisclosed number of records.
When	August 2009 to November 2012
Why	Correspondence containing personal data was sent in error by the council’s Revenues and Benefits service to a Mansfield housing association over an extended period.

BW Comments

What is interesting about this breach is that it was reported to the ICO by the housing authority that received the data in error, and not Mansfield Council. I suspect that the housing association will first have contacted the Council and after that had no effect on the incorrectly addressed correspondence (the breach continued for three years), alerted the Commissioner. The Council’s real failing was to not fix the problem when told about it.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the seventh data protection principle
When	25 January 2013
Details	Employees and any other staff with access to personal data must be made aware of, and trained in, the policy for storage and use of personal data. Training must be provided to contractors as well as staff, and records of training to be maintained.

BW Observations

The breach was almost certainly due to administrative human error; however our view is that the enforcement action was taken as a result of the council not fixing the problem when it was initially alerted. The core problem was that the council didn’t have a sufficiently robust plan to identify and rectify a data breach when it was first reported. The undertaking should have also included a requirement for the Council to develop and test a breach response plan, which identified data breaches and ensured they were rectified.

Links

View PDF of the Mansfield District Council Undertaking (Breach Watch Archive)

View PDF of the Mansfield District Council Undertaking (Via ICO Website)

Follow Up

The ICO conducted a follow up assessment on 03 May 2013 (published by ICO on 01 November 2013).

View PDF of the Mansfield District Council Undertaking Follow Up (Breach Watch Archive)

View PDF of the Mansfield District Council Undertaking Follow Up (Via ICO Website)

Leeds City Council

Posted on 1 January 2013 by BreachMaster

Breach details

What	Loss of sensitive personal data (child protection).
How much	Personal data relating to 4 data subjects.
When	28 July 2011
Why	A support assistant, following council policy and re-using an old envelope for internal mail, failed to cross out the original address and later mistakenly put the envelope in the external post tray. As a result, the document was received by an unauthorised individual.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 95,000
When	16 November 2012

Why the regulator acted

Breach of act	Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, for example using different styles of envelope for internal and external mail, having a peer checking process and providing appropriate training.
Known or should have known	The ICO was satisfied that the Council should have known that that there was a risk that the contravention would occur and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress	The contravention was likely to cause substantial distress to at least one of the data subjects, a vulnerable young person, due to the nature of the data involved.

Links

View PDF of the Leeds City Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Leeds City Council Monetary Penalty Notice (Via ICO Website)

Devon County Council

Posted on 1 January 2013 by BreachMaster

Breach details

What	Loss of sensitive personal data
How much	Personal data relating to approximately 22 data subjects.
When	12 May 2011
Why	A social worker prepared an adoption panel report using another family’s report as template. The service users forgot to take the report with them after a meeting and requested it be posted. The report used as a template was posted by mistake.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 90,000
When	10 December 2012

Why the regulator acted

Breach of act	Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, such as having a peer checking process for envelopes containing confidential and sensitive personal data and providing appropriate staff training.
Known or should have known	Staff working in the People Services department were used to dealing with such cases and the data controller would have been aware of the confidential and sensitive nature of the personal data they were dealing with on a daily basis.
Likely to cause damage or distress	The data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may have been further disseminated and possibly misused, even if those concerns do not actually materialise. Many of the affected individuals were considered to be vulnerable.

Links

View PDF of the Devon County Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Devon County Council Monetary Penalty Notice (Via ICO Website)

London Borough of Lewisham

Posted on 1 January 2013 by BreachMaster

Breach details

What	Loss of sensitive personal data (child protection).
How much	Personal data relating to an undisclosed number of data subjects.
When	16 March 2012
Why	Case papers relating to a child protection matter were taken out of the office in a plastic bag and were mistakenly left on a train.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 70,000
When	12 December 2012

Why the regulator acted

Breach of act	Breach of the seventh principle: the council had failed to take appropriate measures against the accidental loss of personal data such as having robust policies/ guidelines in place; training for staff who need to take paper files containing sensitive personal data out of the office; providing security locks for bags and using encrypted USBs.
Known or should have known	The council recognised that social workers had a business need to take paper files containing confidential and sensitive personal data out of the office and should have put reasonable measures in place to prevent data loss.
Likely to cause damage or distress	The data loss would potentially cause substantial distress to individuals including vulnerable children who may know or suspect that their confidential and highly sensitive personal data has been disclosed; and the contravention could have prejudiced the court hearing of the child protection case.

Links

View PDF of the London Borough of Lewisham Monetary Penalty Notice (Breach Watch Archive)

View PDF of the London Borough of Lewisham Monetary Penalty Notice (Via ICO Website)

Plymouth City Council

Posted on 24 November 2012 by BreachMaster

Breach details

What	Loss of sensitive personal data (child protection).
How much	2 records.
When	23 November 2011
Why	As a result of a printing problem, two seperate reports were taken from a printer by a social worker, treated as single document and passed to a service user.

BW Comments

A control that required a user to enter a code to collect their printout would have stopped this problem happening. Given the sensitive nature of the information printed in a social work environment it is not unreasonable – given the widespread availability and relative low cost of this type of system – to now expect this. Other organisations that frequently print such sensitive information should conduct a risk assessment and look at implementing a manual control (such as peer-review of documents) until an upgrade to their printer software can be deployed.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 60,000
When	19 November 2012

Why the regulator acted

Breach of act	Breach of the seventh principle: the council failed to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to provide a more secure way of providing access to printout, given the sensitive nature of the information provided.
Known or should have known	The ICO’s view was that the Council should have known that any disclosure of such sensitive information would have the potential to be extremely damaging and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress	The information concerned child protection and could have have resulted in “physical harm or blackmail”.

BW Observations

It could be argued that the ICO’s argument for the ‘known or should have known’ test has the benefit of hindsight, however the breach occurred because there were no controls in place and not because a in-place control failed.

Links

View PDF of the Plymouth City Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Plymouth City Council Monetary Penalty Notice (Via ICO Website)

Stoke-on-Trent City Council

Posted on 25 October 2012 by BreachMaster

Breach details

What	Loss of sensitive personal information.
How much	11 records.
When	14 December 2011
Why	11 unencrypted emails relating to a child protection case were sent to the wrong email address by mistake.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 120,000 Enforcement notice issued to ensure that a training program to make staff aware of data protection security procedure is arranged within 35 days.
When	25 October 2012

Why the regulator acted

Breach of act	Failure to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to train employees appropriately and provide a secure means of sending email.
Known or should have known	Staff were used to handling confidential and sensitive personal data and the danger of sending unencrypted email, which the data controller was aware was occuring, should have been self evident.
Likely to cause damage or distress	Data was confidential and highly sensitive and related to an ongoing legal case.

Links

View PDF of the Stoke-on-Trent City Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Stoke-on-Trent City Council Monetary Penalty Notice (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Enforcement Notice (Breach Watch Archive)

View PDF of the Stoke-on-Trent City Council Enforcement Notice (Via ICO Website)

Norwood Ravenswood Ltd

Posted on 10 October 2012 by BreachMaster

Breach details

What	Loss of sensitive personal data.
How much	Four records.
When	5 December 2011
Why	A Social Worker left background reports relating to four young children outside the home of prospective adopters in a concealed place, since they were not in. When the prospective adopters arrived home about 30 minutes later the package had disappeared..

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 70,000
When	10 October 2012

Why the regulator acted

Breach of act	Despite an existing policy, there was no specific guidance relating to sending personal data to prospective adopters. The social worker in question had not recieved any data protection training, despite a commitment to it being provided existing in the data controller’s policy.
Known or should have known	The data controller had an overarching data protection policy which staff were aware of, even if specific guidence was not given. The sensitivity of staff’s work would have been self evident.
Likely to cause damage or distress	The background reports contained detailed, confidential and highly sensitive personal data relating to the children and their birth families, including medical histories and details of any abuse or neglect. At this time, the reports have not been found.

Links

View PDF of the Norwood Ravenswood Ltd Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Norwood Ravenswood Ltd Monetary Penalty Notice (Via ICO Website)

Torbay Care Trust

Posted on 6 August 2012 by BreachMaster

Breach details

What	Loss of sensitive personal data.
How much	1,373 records.
When	April 2011
Why	Sensitive personal information relating to 1,373 employees was published on the Trust’s website in an excel spreadsheet intended to display equality and diversity metrics. This information was publicly available for over 19 weeks.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 175,000
When	6 August 2012

Why the regulator acted

Breach of act	Staff received no guidance as to what information should not be published. No checking processes were in place to prevent excessive information being published.
Known or should have known	The data controller was holding confidential and sensitive personal data relating to its employees and should have recognised the potential for human error when uploading data to its website in the absence of appropriate security measures.
Likely to cause damage or distress	Financial and Medical data. May have been accessed by untrustworthy third parties.

Links

View PDF of the Torbay Care Trust Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Torbay Care Trust Monetary Penalty Notice (Via ICO Website)

Marston Properties

Posted on 6 August 2012 by BreachMaster

What
Loss of personal data

How much
37 records.

Why
37 staff members’ details were lost when the filing cabinet the information was stored in was sent to a recycling centre and crushed.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to support staff who handle personal data and that these will be communicated to all relevant staff along with information governance training.

Reason for action
The data controller had established procedures, but did not have a specific written information handling policy in place and employees had not received formal data protection training.

When
6 August 2012

Links
View PDF of the Marston Properties Undertaking (Via ICO Website)

View PDF of the Marston Properties Undertaking (Breach Watch Archive)

West Lancashire Borough Council

Posted on 13 July 2012 by BreachMaster

What
Loss of personal data

How much
370 records.

Why
A business continuity bag containing emergency response documents and personal data relating to employees was stolen from a locked vehicle belonging to an officer.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the minimum amount of personal data necessary for emergency business is taken off site and that staff are fully training in data protection policy.

Reason for action
The data controller had some relevant guidance in place at the time of the incident, but could have provided clearer written instruction on the secure storage of hard copy personal data off site for emergency.

When
13 July 2012

Links
View PDF of the Lancashire Borough Council Undertaking (Via ICO Website)

View PDF of the Lancashire Borough Council Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500