London Ambulance Service NHS Trust

What

Loss of sensitive personal data.

How much

Unknown.

Why

Theft of unencrypted laptop from a staff member’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff members are made aware sensitive personal data is not to be forwarded to personal email accounts under any circumstances.

Reason for action

Data was emailed by a staff member to a personal account and downloaded onto a personal, unencrypted, laptop.

When

07 September 2011.

Links

View PDF of the London Ambulance Service NHS Trust Undertaking (Via ICO Website)

View PDF of the London Ambulance Service NHS Trust Undertaking (Breach Watch Archive)

University Hospital of South Manchester NHS Foundation Trust

What

Loss of sensitive personal data.

How much

87 records.

Why

Loss of an unencrypted memory stick by a medical student.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that students are provided with sufficient training and that the security of personal data is sufficiently monitored.

Reason for action

It was assumed that the medical student had already received sufficient data protection training. Sensitive data was copied from an encrypted memory stick provided by the hospital to an unencrypted personal memory stick.

When

07 September 2011.

Links

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Breach Watch Archive)

The Scottish Children’s Reporter Administration

What

Loss of sensitive personal data.

How much

10 records.

Why

An email containing sensitive information was sent to an unknown 3rd party and nine case files were temporarily lost during a move.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware that they may not send data to personal email accounts.

Reason for action

Information was emailed despite a policy being in place that stated this could only be done if sent to an equally secure recipient. A filing cabinet was not checked for case files during a move.

When

02 September 2011.

Links

View PDF of the Scottish Children’s Reporter Administration Undertaking (Via ICO Website)

View PDF of the Scottish Children’s Reporter Administration Undertaking (Breach Watch Archive)

London Borough of Greenwich

What

Two incidents of disclosure of sensitive personal information.

How much

Two records.

Why

Information sent to incorrect email addresses.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the Council’s IT policy specifically makes it clear that data is not to be sent to personal emails.

Reason for action

Both incidents saw staff fail to adhere to the Council’s IT policy, regarding the encryption of data. However the policy did not explicitly prevent the sending to data to personal emails.

When

10 August 2011.

Links

View PDF of the London Borough of Greenwich Undertaking (Via ICO Website)

View PDF of the London Borough of Greenwich Undertaking (Breach Watch Archive)

Lewisham Council and Wandle Housing Association

What

Loss of personal data.

How much

20,000 records.

Why

Loss of an unencrypted memory stick in a London pub.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is not transferred onto unencrypted personal media devices.

Reason for action

Staff were insufficiently trained and unaware of the dangers of copying sensitive information to personal, unsecure, devices.

When

04 August 2011.

Links

View PDF of the Lewisham Council Undertaking (Via ICO Website)

View PDF of the Lewisham Council Undertaking (Breach Watch Archive)

View PDF of the Wandle Housing Association Undertaking (Via ICO Website)

View PDF of the Wandle Housing Association Undertaking (Breach Watch Archive)

Kirklees Metropolitan Council

What

Personal data unnecessarily disclosed.

How much

18 records.

Why

Records let visible in an employees’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient security measures are implemented and checked to prevent inappropriate disclosure of personal data.

Reason for action

Similar accidental disclosures had already occurred during the past year and insufficient measures had been put into place to prevent any reoccurrences.

When

29 July 2011.

Links

View PDF of the Kirklees Metropolitan Council Undertaking (Via ICO Website)

View PDF of the Kirklees Metropolitan Council Undertaking (Breach Watch Archive)

University of York

What

Loss of personal data.

How much

148 records.

Why

Failure to close a test area on the University’s website that contained student records.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that university IT staff ensure the appropriate security of all data following maintenance.

Reason for action

Insufficient managerial control was in place to ensure that the test version of the database was deleted.

When

20 July 2011.

Links

View PDF of the University of York Undertaking (Via ICO Website)

View PDF of the University of York Undertaking (Breach Watch)

Lancashire Police Authority

What

Loss of sensitive personal data.

How much

Unknown.

Why

Sensitive personal data was accidentally published on the data controller’s website.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient training and security measures are put into place to prevent accidental disclosure of sensitive data.

Reason for action

The data controller was insufficiently familiar with the relatively new system being used to publish their website and failed to take immediate action having been made aware of the error.

When

19 July 2011.

Links

View PDF of the Lancashire Police Authority Undertaking (Via ICO Website)

View PDF of the Lancashire Police Authority Undertaking (Breach Watch Archive)

Lancashire Teaching Hospitals NHS Foundation Trust

What

Loss of sensitive personal data.

How much

Two records.

Why

Sensitive personal information was mistakenly faxed to a member of the public on several occasions.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the organisations policies regarding the use and storage of sensitive data and its security.

Reason for action

The wrong number was mistakenly inserted into the fax machine.

When

1 July 2011.

Links

View PDF of the Lancashire Teaching Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the Lancashire Teaching Hospitals NHS Foundation Trust Undertaking (Via Breach Watch Archive)

Basildon and Thurrock University Hospitals NHS Foundation Trust

What

Loss of sensitive personal data.

How much

One record.

Why

Faxes were incorrectly sent to the wrong recipient over a period  of at least a year.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that records are transmitted to GPs in a more secure manner and a ring ahead procedure is implemented.

Reason for action

The Fax was intended for the patient’s GP, but the wrong Fax number was recorded.

When

01 July 2011.

Links

View PDF of the Basildon and Thurrock University Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the Basildon and Thurrock University Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)