St George’s Healthcare NHS Trust

Posted on 12 July 2012 by BreachMaster

Breach details

What	Loss of sensitive personal data.
How much	Two records.
When	2011
Why	Two letters containing confidential and highly sensitive personal data, relating to the subject’s medical condition, were sent to the wrong address, at which the subject had resided at 5 years previous. The patient’s current address had been provided when the patient was first referred to the data controller for a medical examination. It was also logged into the NHS SPINE, which was not aligned with iClip, the local patient administrative program. Staff involved with compiling the incorrectly addressed letters had received iClip training and were aware that addresses were not always in sync with SPINE, but no verbal checks of the data subject’s address were made.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 60,000
When	12 July 2012

Why the regulator acted

Breach of act	Staff were not trained in the importance of checking names and addresses and the PDS function on iClip could be bypassed. Inappropriate organisational and technical measures.
Known or should have known	Staff were used to dealing with such cases and it was known that many staff found the iClip system difficult to use and tended to bypass or disable the PDS.
Likely to cause damage or distress	Medical data.

Links

View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Breach Watch Archive)

View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Via ICO Website)

Welcome Financial Services Limited

Posted on 5 July 2012 by BreachMaster

Breach details

What	Loss of personal data.
How much	Approximately 2 million records.
When	7 November 2011
Why	Backup tapes of Shopacheck’s LAN were transported back and forth between the network site and an offsite storage room. On the 23rd of November 2011 it was discovered that two of these tapes, containing personal data, of millions of individuals were missing.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 150,000
When	5 July 2012

Why the regulator acted

Breach of act	Unencrypted tapes were lost, and have still not been recovered. Inappropriate organisational and technical measures.
Known or should have known	Data controller was aware of the possible consequences of the tapes going missing, since policies were in place requiring encryption.
Likely to cause damage or distress	Financial information of customers.

Links

View PDF of the Welcome Financial Services Limited Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Welcome Financial Services Limited Monetary Penalty Notice (Via ICO Website)

South Yorkshire Police

Posted on 26 June 2012 by BreachMaster

What
Loss of personal data

How much
600 records.

Why
Personal data, relating to drug offences by 600 arrested individuals, was accidently included in a spreadsheet given to a journalist following a Freedom of Information request.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all responses to FOI requests are double checked, preferably by a manager, to ensure that no personal data is included. Written procedures should be implemented and staff must be training in following that policy.

Reason for action
The Commissioner felt that the likelihood of identification was reduced as the offender’s names were not included in the attachment. Formal assurances were received that the email and spreadsheet were promptly deleted. All staff members have since been provided with comprehensive training relating to FOI requests.

When
26 June 2012

Links
View PDF of the South Yorkshire Police Undertaking (Via ICO Website)

View PDF of the South Yorkshire Police Undertaking (Breach Watch Archive)

Telford & Wrekin Council

Posted on 6 June 2012 by BreachMaster

Breach details

What	Inappropriate disclosure of sensitive personal data.
How much	Two records over two incidents.
When	31 March 2011
Why	On the first occasion a Social Worker sent a Social Care Core Assessment report to the child’s sibling instead of the mother. A second incident was reported by the Council to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother, in this incident the authority decided to move the children to a different foster carer.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 90,000
When	6 June 2012

Why the regulator acted

Breach of act	There was no formal checking process in place to prevent documents being sent to the wrong recipients . Inappropriate organisational and technical measures.
Known or should have known	Staff were used to dealing with such cases on a daily basis and were aware of the sensitivity of the data being handled. Two separate incidents occurred in 2 months.
Likely to cause damage or distress	Data relating to vulnerable child in foster care.

Links

View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Telford & Wrekin Council Monetary Penalty Notice (Via ICO Website)

Brighton and Sussex University Hospitals NHS Trust

Posted on 1 June 2012 by BreachMaster

Breach details

What	Loss of sensitive personal information.
How much	79,000 records.
When	March 2008
Why	Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 325,000
When	1 June 2012

Why the regulator acted

Breach of act	Failure to select a data processor able to provide gurantees of technical security – loss of hard drives. Inappropriate organisational and technical measures.
Known or should have known	Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.
Likely to cause damage or distress	Medical Data of Patients.

Links

View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice (Via ICO Website)

View the Brighton and Sussex University Hospitals response to the penalty (external archive)

Holroyd Howe Independent Ltd

Posted on 23 May 2012 by BreachMaster

What

Loss of personal information.

How much

All payment records for the data controller’s employees.

Why

A data processor received a request from one of the data controller’s ex-employees for a copy of one of his payslips. In error, the data processor, which was acting on behalf of the data controller, emailed him a PDF document showing the relevant month’s payslips for all the data controller’s employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of the data controller’s amended policy for the storage and use of personal data and are appropriately trained how to follow that policy. Personal data transmitted over email must be encrypted to a sufficient standard.

Reason for action

In the course of investigation, it emerged that the data controller did not have a formal contract in place governing the processing of personal data by this data processor. It was noted that job-related training was given which included emphasis on confidentiality and sensitivity of data where appropriate, although some improvements were identified in relation to policies and procedures. It was further noted that remedial action taken in response to this incident had been prompt and thorough and that no adverse consequences had resulted.

When

23 May 2012

Links

View PDF of Holroyd Howe Independent Ltd Undertaking (Via ICO Website)

View PDF of Holroyd Howe Independent Ltd Undertaking (Breach Watch Archive)

Central London Community Healthcare NHS Trust

Posted on 21 May 2012 by BreachMaster

Breach details

What	Inappropriate disclosure of sensitive personal data.
How much	59 records.
When	28 March 2011
Why	On 45 occasions over a number of weeks inpatient lists were accidentally faxed to a member of the public, when it was believed they were bring faxed to the appropriate number. Procedures were in place to confirm the arrival of faxed lists, however miscommunication meant that only one reception of the lists was being confirmed, while a second fax number actually belonged to a member of the public.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 90,000
When	21 May 2012

Why the regulator acted

Breach of act	Inpatient lists faxed to incorrect recipients. Lack of sufficient policies to prevent such an event. Inappropriate organisational and technical measures.
Known or should have known	Staff were used to dealing with impatient data and were aware of its sensitivity, hence having fax protocols.
Likely to cause damage or distress	Medical data of patients.

BW Observations

This was the first Monetary Penalty Notice to be appealed to the Information Tribunal. The appeal was heard in December 2012 and the decision released on 15 Jan 2013. The appeal was rejected.

Links

View PDF of the Central London Community Healthcare NHS Trust Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Central London Community Healthcare NHS Trust Monetary Penalty Notice (Via ICO Website)

View PDF of the Information Tribunal Decision.

An analysis of the tribunal decision at the Panopticon blog. (Interestingly barristers from 11KBW acted for both the Commissioner and the Trust)

London Borough of Barnet

Posted on 15 May 2012 by BreachMaster

Breach details

What	Loss of sensitive personal information.
How much	15 records.
When	23 April 2011
Why	Paper records relating to vulnerable children were stolen from a social worker’s home. Although it was accepted that the paper records needed to be taken home and that there was a policy in place to cover it, it was felt that the policy did not address the risk identified by this security breach.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 70,000
When	15 May 2012

Why the regulator acted

Breach of act	Loss of paper records. Inappropriate organisational and technical measures.
Known or should have known	Staff were aware of the sensitive nature of the data they dealt with and that it was often necessary for paper records to be taken out of the office.
Likely to cause damage or distress	Data relating to child exploitation.

Links

View PDF of the London Borough of Barnet Monetary Penalty Notice (Breach Watch Archive)

View PDF of the London Borough of Barnet Monetary Penalty Notice (Via ICO Website)

Aneurin Bevan Health Board

Posted on 30 April 2012 by BreachMaster

Breach details

What	Loss of sensitive personal data.
How much	One records.
When	24 March 2011
Why	A secretary accidentally sent a letter containing sensitive personal information to the wrong person. The correct patient’s surname had been spelt two different ways by a doctor and the letter lacked any other identifiers, and the secretary accidently chose the wrong record from the electronic patient record system.

Regulatory action

Regulator	ICO
Action	Monetary penalty of £ 70,000 Undertaking issued to ensure that the checking processes to confirm patient identity prior to issuing correspondence, recommended by an internal investigation, must immediately be adopted across all the data controller’s sites.
When	30 April 2012

Why the regulator acted

Breach of act	Letter sent to the wrong recipient. Letters should not be dispatched without being checked by management. Inappropriate organisational and technical measures.
Known or should have known	Staff were used to dealing with sensitive data, but management allowed secretaries to simply rely on the electronic system rather than double checking.
Likely to cause damage or distress	Medical data.

Links

View PDF of the Aneurin Bevan Health Board Monetary Penalty Notice (Breach Watch Archive)

View PDF of the Aneurin Bevan Health Board Monetary Penalty Notice (Via ICO Website)

View PDF of the Aneurin Bevan Health Board Undertaking (Breach Watch Archive)

View PDF of the Aneurin Bevan Health Board Undertaking (Via ICO Website)

Brecon Beacons National Park Authority

Posted on 18 April 2012 by BreachMaster

What

Unauthorised disclosure of personal data.

How much

Two incidents.

Why

On the first occasion personal data of relatively low sensitivity held in local development plan consultation comment forms was disclosed. On the second occasion planning application documents were published on a website, containing personal data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate security measures are put in place to prevent unauthorised access to personal data from the data controller’s website.

Reason for action

It was felt that insufficient care was taken to prevent the disclosure of personal details such as telephone numbers and email addresses.

When

18 Apr 2012

Links

View PDF of the Brecon Beacons National Park Authority Undertaking (Via ICO Website)

View PDF of the Brecon Beacons National Park Authority Undertaking (Breach Watch Archive)

FCA/FSA (7)	£ 7,777,000
ICO DPA (55)	£ 5,573,500