Leicestershire County Council

What

Loss of sensitive personal data.

How much

18 records.

Why

A briefcase, containing documents to be used for initiating court proceedings, was stolen from a social worker’s house during a burglary.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that existing policies should be amended to include detailed guidance relating to the security of paper documents whilst home working and that staff receive sufficient training and follow these guidelines.

Reason for action

While the social worker had asked for, and received, permission from his manager to take the documents home with him, policies had been put in place to train staff in how to secure documents outside of the office. While the manager had received this training, the social worker had not.

When

17 Apr 2012

Links

View PDF of the Leicestershire County Council Undertaking (Via ICO Website)

View PDF of the Leicestershire County Council Undertaking (Breach Watch Archive)

Hertfordshire County Council

What

Loss of sensitive personal data.

How much

Unknown.

Why

An Attendance and Pupil Support consultation folder was lost in January 2011.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices used to store personal data are sufficiently encrypted. Hard copy documentation must only be removed from council premises when absolutely necessary.

Reason for action

Despite the incident occurring in January 2011, the relevant department within the Council did not share the outcome of their investigation with the Data Protection Team until August 2011. The investigation also revealed that the officer who lost the folder was transporting excessive information.

When

11 Apr 2012

Links

View PDF of the Hertfordshire County Council Undertaking (Via ICO Website)

View PDF of the Hertfordshire County Council Undertaking (Breach Watch Archive)

South London Healthcare NHS Trust

What

Loss of sensitive personal data.

How much

Approximately 750 records

Why

Two unencrypted memory sticks were lost, one two separate occasions. A clipboard of ward lists was left in a grocery store and some patient paper files were inadequately secured when not in use.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices containing personal data are encrypted to a sufficient standard and that staff are made aware of, and trained in, data protection policies.

Reason for action

On all of these occasions, staff were either unaware that the memory sticks they used should have been encrypted, or had removed or failed to secure data in breach of in-place policies.

When

11 Apr 2012

Links

View PDF of the South London Healthcare NHS Trust Undertaking (Via ICO Website)

View PDF of the South London Healthcare NHS Trust Undertaking (Breach Watch Archive)

St Georges Healthcare NHS Trust

What
Loss of sensitive personal data.

How much
22,000 records.

Why
6 unencrypted laptops containing the personal data of a number of patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data. Mobile media devices must be encrypted to a suitable standard. Adequate checks must be carried out on contractor’s staff. All staff must receive adequate data protection training.

Reason for action
Due to network connection problems patient data had been stored on laptop C drives contrary to Trust policy and was not encrypted.

When
27 March 2009

Links
View PDF of the St Georges Healthcare NHS Trust Undertaking (Breach Watch Archive)

The Lancaster Constabulary

Breach details

What Loss of sensitive personal data.
How much “Several” records.
When 17 July 2011
Why xxx.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
Undertaking issued to ensure that hard copy documentation contains the minimum amount of personal data necessary and is only taken out of the station when absolutely necessary. A written policy detailing these responsibilities must be produced and staff must be trained in these policies.
When 14 March 2012

Why the regulator acted

Breach of act Report lost and printed in a newspaper. Inappropriate organisational and technical measures.
Known or should have known Policies in place marked such data as highly sensitive, but no policies were in place to cover security outside of the station.
Likely to cause damage or distress Report related to vulnerable children and sex crimes.

Enable Scotland (Leading the Way)

What

Loss of sensitive personal data.

How much

101 records.

Why

Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.

Reason for action

The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.

When

09 March 2012.

Links

View PDF of the Enable Scotland (Leading the Way) Undertaking (Via ICO Website)

View PDF of the Enable Scotland (Leading the Way) Undertaking (Breach Watch Archive)

Zurich Insurance plc

What
Loss of personal data.

How much
6,800 records.

Why

Unencrypted backup tape lost by the data processor.

Regulator
ICO

Regulatory action

Undertaking issued to ensure that where any future movement of backup tapes is required appropriate data security measures, including encryption, are taken. Staff and external contractors must be made aware of security procedures and trained to follow them. Adequate checks must be carried out on contractor’s staff and effective controls must be put in place to monitor and report potential or actual data loss activity.

Reason for action

Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.

When
7 March 2010

Links
View PDF of the Zurich Insurance plc Undertaking (Breach Watch Archive)

Durham University

What

Loss of personal data.

How much

Unknown.

Why

Training manuals posted on the data controller’s website contained actual, rather than fictitious or anonymised personal data.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that no documents containing personal data shall be placed on the data controller’s website and that staff will be made aware of IT security policies by no later than the 30th of September 2012.

Reason for action

The breach was discovered in July 2011 but the manuals had been live on the website since February 2011. During the investigation it became clear that only around 20% of staff had made use of the training materials available to them.

When

01 March 2012.

Links

View PDF of the Durham University Undertaking (Via ICO Website)

View PDF of the Durham University Undertaking (Breach Watch Archive)

London Borough of Croydon

What

Loss of sensitive personal data.

How much

Unknown.

Why

A bag belonging to a social worker employed in the Council’s Children and Young Peoples’ Department was stolen from a public house in London. The bag contained a hard copy file of papers concerning a child in the care of the council.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will draft and implement a formal policy covering the storage, physical security, transportation, use and disposal of personal data outside of the office environment. Compliance with this policy must be monitored.

Reason for action

The Information Commissioner concluded that an apparent lack of effective controls and procedures for taking information out of the office was a major contributor to the loss of highly personal data. It was also felt that further staff trained was needed.

When

01 March 2012.

Links

View PDF of the London Borough of Croydon Undertaking (Via ICO Website)

View PDF of the London Borough of Croydon Undertaking (Breachwatch Archive)

Dr. Pervinder Sanghera of Arthur House Dental Care

What

Loss of personal and limited sensitive personal data.

How much

Unknown.

Why

An unencrypted USB stick containing records relating to patients and employees of Arthur House Dental Care was found in a public place. A number of spreadsheets containing personal data stored on the device were password protected.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store and transport personal data are sufficiently encrypted. Staff must be trained not to take data off site unless necessary.

Reason for action

The memory stick had been utilised as a temporary back-up solution when the existing electronic back-up system at the practice failed. As a result of the back-up failure the memory stick was moved from the dental practice to the data controller’s home for safekeeping on a number of occasions. It is likely the memory stick was lost in transit.

When

01 March 2012.

Links

View PDF of the Dr. Previnder Sanghera Undertaking (Via ICO Website)

View PDF of the Dr. Previnder Sanghera Undertaking (Breach Watch Archive)