Worcestershire County Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much “A large number” of records.
When Unknown
Why A member of staff accidently clicked on an additional contact list while sending out an email intended for internal use and so two spreadsheets containing sensitive personal information were sent to 23 registered care providers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 80,000
When 28 November 2011

Why the regulator acted

Breach of act Staff were not provided with sufficient training and internal and external email distribution lists were not clearly differentiated.
Inappropriate organisational and technical measures.
Known or should have known Employees routinely dealt with confidential and sensitive personal data and manages should have realised the potential for human error when selecting emails lists.
Likely to cause damage or distress Details of vulnerable young adults.

North Somerset Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much Two records.
When 12 November 2010
Why A council employee accidently sent five emails (on separate occasions), two of which contained highly sensitive information relating to a child’s serious case review, to the wrong NHS employee.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 28 November 2011

Why the regulator acted

Breach of act Staff not given sufficient information governance training and management should have signed off on emails, ensuring that all sensitive data was encrypted.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to handling confidential and sensitive data and should have been aware of the “self evident” risks of drop down email menus. Repeated breaches demonstrate this fact.
Likely to cause damage or distress Data related to vulnerable individuals and could be misused.

Central Essex Community Services

What

Loss of sensitive personal data.

How much

249 records.

Why

Loss of a birth book from a locked storage room.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient physical security measures are in place for the storage of paper medical records and compliance with these measures are monitored.

Reason for action

The birth book was supposed to be locked in a filing cabinet in accordance with the data controller’s policy, but it was stored on top of the cabinet due to a lack of storage space.

When

21 November 2011.

Links

View PDF of the Central Essex Community Services Undertaking (Via ICO Website)

View PDF of the Central Essex Community Services Undertaking (Breach Watch Archive)

Rochdale Metropolitan Borough Council

What

Loss of personal data.

How much

“Thousands”

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issues to ensure that all portable media devices used to store personal data are sufficiently encrypted and that policies and procedures on the storage, processing, transmission and disposal of personal data shall be reviewed and revised by no later than 1 December 2011.

Reason for action

Although much of the data on the USB stick was already available in the public domain it became clear during investigations that data protection training was insufficient and that encrypted memory sticks were not provided in those cases when more private data would have been stored.

When

03 November 2011.

Links

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Via ICO Website)

View PDF of the Rochdale Metropolitan Borough Council Undertaking (Breach Watch Archive)

University Hospitals Coventry & Warwickshire NHS Trust

What

Loss of sensitive personal data on two occasions.

How much

One record and 18 records.

Why

A patient’s medical record was allegedly found in a waste bin outside Coventry’s University Hospital by a member of the public. Two months previously the records of 18 patients were found in a public waste bin in a residential apartment block.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the storage, use, disposure and removal from the premises of personal information are made clear to staff and that compliance is monitored.

Reason for action

The short time between the two incidents suggested that insufficient measures were being taken to safeguard personal data.

When

27 October 2011.

Links

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Via ICO Website)

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Breach Watch Archive)

Spectrum Housing Group

What

Personal data relating to employees accidently sent to an outside recipient.

How much

200 records.

Why

Records accidently sent to an outside recipient due to the data controllers’ e-mail system automatically predicting the intended recipient based on previous sent messages.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that personal data will only be sent by email when necessary. Data should be made secure and staff should be made aware of company policies.

Reason for action

Insufficient measures were taken to prevent an accidental loss of unsecured personal information.

When

19 October 2011.

Links

View PDF of the Spectrum Housing Group Undertaking (Via ICO Website)

View PDF of the Spectrum Housing Group Undertaking (Breach Watch Archive)

Dumfries and Galloway Council

What

Accidental online disclosure of staff’s personal information.

How much

887 records.

Why

Records were accidently published online in response to a Freedom of Information (Scotland) Act request.

Regulator

ICO

Regulatory action

Undertaking issued to undergo an externally commissioned audit and to put it place checks to prevent another such occurrence.

Reason for action

Insufficient measures were taken to prevent an accidental loss of unsecured personal information.

When

17 October 2011.

Links

View PDF of the Dumfries and Galloway Council Undertaking (Via ICO Website)

View PDF of the Dumfries and Galloway Council Undertaking (Breach Watch Archive)

Poole Hospital NHS Trust

What

Loss of sensitive personal data.

How much

240 records.

Why

Theft of two diaries stolen from a nurses’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is kept physically secure both at home and in the work place and that personal data is kept to the minimum required and anonymised where possible.

Reason for action

The diaries contained information the nurse might need off hours, but were kept, unsecured, in her car outside her home.

When

04 October 2011.

Links

View PDF of the Poole Hospital NHS Trust Undertaking (Via ICO Website)

View PDF of the Poole Hospital NHS Trust Undertaking (Breach Watch Archive)

Royal Liverpool and Broadgreen University Hospitals NHS Trust

What

Loss of sensitive personal data on two occasions.

How much

22 records and 27 records.

Why

  • Ward handover sheets were discovered in a street near the hospital.
  • A clinic bag containing paper documents was stolen from a staff members’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the requirements for keeping data secure.

Reason for action

Both occasions seem to have been caused by staff failing to take the proper precautions.

When

15 September 2011.

Links

View PDF of the Royal Liverpool and Broadgreen University Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Liverpool and Broadgreen University Hospitals NHS Trust Undertaking (Breach Watch Archive)

Eastern and Coastal Kent Primary Care Trust

What

Loss of personal data.

How much

1.6 million records.

Why

A filling cabinet containing records was sent to a landfill during a move, however it also contained a CD holding data on 1.6 million patients.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff receive the necessary Information Governance training and are made aware of retention and storage policies.

Reason for action

A failure of internal communication meant that the presence of the CD in the filing cabinet was not known to those disposing of it.

When

14 September 2011.

Links

View PDF of the Eastern and Coastal Kent Primary Care Trust Undertaking (Via ICO Website)

View PDF of the Eastern and Coastal Kent Primary Care Trust Undertaking (Breach Watch Archive)