Cheshire East Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One record.
When April 2011
Why An email containing sensitive personal information relating to an individual of concern to the police was distributed to 180 unintended recipients, due to mistaken forwarding of the email, following errors of communication in the “Potentially Dangerous Person Unit”.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 15 February 2012

Why the regulator acted

Breach of act Sensitive email mistakenly forwarded to over 180 recipients.
Inappropriate organisational and technical measures.
Known or should have known Staff were aware of the sensitivity of their work by its very definition, yet an assistant officer had not received any data protection training.
Likely to cause damage or distress Details could jeopardise the data subject’s livelihood.

Croydon Council

Breach details

What Croydon Council.
How much One record.
When 20 April 2011
Why A social worker’s bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. The data controller did not appear to have provided any information security training to the social worker involved and the onus was on staff to update their own knowledge and read the data controller’s policies in the intranet. No checks were made to ensure that staff had read or understood these police.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 13 Fenruary 2012

Why the regulator acted

Breach of act Loss of papers, which could disrupt an ongoing legal case.
Inappropriate organisational and technical measures.
Known or should have known It was clear staff would need to take sensitive data outside of the office, but there were no policies in place to ensure this was done securely.
Likely to cause damage or distress Information related to an ongoing legal case.

Norfolk Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much One records.
When April 2011
Why A social worker in the Data Controller’s Children’s Service’s department intended to deliver a copy of a report on a conference to a child’s father, but accidently wrote the wrong address on an envelope and placed it through the door of the father’s neighbour. Although a policy was in place to provide guidance about sending personal data by post it was possible that the social worker was unaware of this as she had only been working in the department for 9 months and had not completed the mandatory e-training course on data protection. No process was in place to monitor trainin.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 13 February 2012

Why the regulator acted

Breach of act Even had policy been followed there was nothing to prevent the incorrect delivery of the wrongly addressed letter.
Inappropriate organisational and technical measures.
Known or should have known Staff were used to dealing with such self-evidently sensitive information, but no policies were in place to prevent a breach.
Likely to cause damage or distress Data related to the physical and emotional well-being of a child.

Fairbridge

What

Loss of personal data on two occasions.

How much

325 and 16 records.

Why

On two separate occasions password protected, but unencrypted laptops were lost. One was left on a bus and the second was reported missing by an employee while boarding a plane in a Spanish airport.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted.

Reason for action

Whilst neither laptop has been recovered to date they did not contain any sensitive personal data. Since the incident occurred the data controller has ensured the encryption of mobile devices that contain personal data and provided all employees with data protection training.

When

10 February 2012.

Links

View PDF of the Fairbridge Undertaking (Via ICO Website)

View PDF of the Fairbridge Undertaking (Breach Watch Archive)

Dacorum Borough Council

What

Loss of sensitive personal data.Loss of sensitive personal data.

How much

1,000 records.

Why

An unencrypted hard drive was stolen from an adventure playground following a burglary. It contained registration documents relating to about 1000 children who have attended the playground.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of the data controller’s policy for the storage and use of personal data. Personal data must not be retained any longer than relevant and must be disposed of in a secure manner once no longer needed.

Reason for action

The Commissioner’s enquiries revealed that the registration documents were stored on the desktop and were not password protected. The previous password protection had been removed when a member of staff left the Council and was not restored. It was also revealed that no annual review of the database had been performed, resulting is registration documents not being deleted in line with the Council’s retention policy.

When

10 February 2012.

Links

View PDF of the Dacorum Borough Council Undertaking (Via ICO Website)

View PDF of the Dacorum Borough Council Undertaking (Breach Watch Archive)

Brighton and Hove Council

What

Loss of sensitive personal data.

How much

Records relating to up to seven families.

Why

Theft of an unencrypted laptop during a burglary and on a separate occasion details of an employee’s income and salary deductions was accidently emailed to 2,821 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that that all portable media devices are suitably encrypted and appropriate administrative measures are put into place to control employee use of email groups.

Reason for action

The laptop was stolen from the home of a sessional worker, a casual employee under contract for a specific assignment. The data sent to the worker was supposed to have been anonymised, but had not been.

When

10 February 2012.

Links

View PDF of the Brighton and Hove Council Undertaking (Via ICO Website)

View PDF of the Brighton and Hove Council Undertaking (Breach Watch Archive)

Basingstoke and Deane Borough Council

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)

Manpower UK Ltd

What

Inappropriate disclosure of personal data.

How much

400 records.

Why

A spreadsheet containing 400 people’s personal details was accidentally email to 60 employees.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of policies regarding the transmission of personal data via email, included the need to password protect or encrypt the data according to the sensitivity of the data and the risk to the data subjects.

Reason for action

The employee had initially believed that the spreadsheet contained only the employee numbers of those 60 staff. However the data was transmitted unsecured over the internet and it could not be confirmed that all recipients had deleted the email as requested

When

20 January 2012.

Links

View PDF of the Manpower UK Ltd Undertaking (Via ICO Website)

View PDF of the Manpower UK Ltd Undertaking (Breach Watch Archive)

Chartered Institute of Public Relations

What

Loss of sensitive personal data.

How much

30 records.

Why

30 Membership forms were lost on a train.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a document is created that clearly outlines all employees’ responsibilities in terms of the storage, transmission, use and disposal of personal data. All necessary amendments must be made by 31 January 2012

Reason for action

The organisation did not have a written policy in place for handling personal data outside of the office at the time of incident.

When

18 January 2012.

Links

View PDF of the Chartered Institute of Public Relations Undertaking (Via ICO Website)

View PDF of the Chartered Institute of Public Relations Undertaking (Breach Watch Archive)

Powys County Council

Breach details

What Disclosure of sensitive personal information.
How much 19 records.
When 4 February 2011
Why A member of the public received a children protection report on an unrelated child along with a document concerning her own child due to an employee of the data controller accidentally mixed in another colleague’s work when collecting printing from a shared printer. Although the Data Controller had said that they considered Data Protection training vital they had not made the completion of such training mandatory. This was the second of such incidents.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 130,000
Enforcement Notice Issued to ensure that by 31 March 2012 all staff with access to personal data must undergo full data protection training and that an accurate record must be kept of this training
When 6 December 2011

Why the regulator acted

Breach of act Data sent to an incorrect recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the previous breach the risk was clear, but insufficient measures were taken to prevent this second breach.
Likely to cause damage or distress Data related to a child and has the potential for misuse.