Luton Borough Council

What

Discovery of flawed encryption.

How much

None

Why

A flaw in the encryption of memory sticks allowed them to be reformatted, removing the encryption.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all encryption is up to a sufficient standard.

Reason for action

Encryption was of an insufficient standard and this was only discovered during a recall of old devices.

When

02 September 2011.

Links

View PDF of the Luton Borough Council Undertaking (Via ICO Website)

View PDF of the Luton Borough Council Undertaking (Breach Watch Archive)

Lewisham Council and Wandle Housing Association

What

Loss of personal data.

How much

20,000 records.

Why

Loss of an unencrypted memory stick in a London pub.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that data is not transferred onto unencrypted personal media devices.

Reason for action

Staff were insufficiently trained and unaware of the dangers of copying sensitive information to personal, unsecure, devices.

When

04 August 2011.

Links

View PDF of the Lewisham Council Undertaking (Via ICO Website)

View PDF of the Lewisham Council Undertaking (Breach Watch Archive)

View PDF of the Wandle Housing Association Undertaking (Via ICO Website)

View PDF of the Wandle Housing Association Undertaking (Breach Watch Archive)

Surbiton Children’s Central Nursery

What

Loss of personal data.

How much

21 records

Why

A teacher’s bag was stolen containing an unencrypted memory stick and paperwork.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable data devices are encrypted  and that staff only take data off site when absolutely necessary.

Reason for action

The memory stick, containing personal data, was unencrypted.

When

14 June 2011.

Links

View PDF of the Surbiton Children’s Central Nursery Undertaking (Via ICO Website)

View PDF of the Surbiton Children’s Central Nursery Undertaking (Breach Watch Archive)

University College London Hospitals NHS Foundation Trust

What

Loss of sensitive personal data.

How much

750 records.

Why

Loss of an unencrypted memory stick.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable media devices are sufficiently encrypted and that staff are trained in the transportation of such data.

Reason for action

Sensitive personal information should never have been transported off site in an unencrypted media device.

When

15 April 2011.

Links

View PDF of the University College London Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the University College London Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

Cambridgeshire County Council

What

Loss of sensitive personal information.

How much

A minimum of six records.

Why

An unencrypted memory stick containing the records was lost by a member of staff.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made fully aware policies related to the encryption of portable media devices.

Reason for action

Employees were issued with encrypted memory sticks, but following a technical difficulty with the encryption function the employee used an unencrypted and unauthorised device.

When

23 February 2011.

Links

View PDF of the Cambridgeshire County Council Undertaking (Via ICO Website)

View PDF of the Cambridgeshire County Council Undertaking (Breach Watch Archive)

Stoke-on-Trent City Council

What

Loss of sensitive personal information.

How much

40 records.

Why

An unencrypted memory stick containing social service records for 40 children was found by a member of the public. The memory stick was not password protected either.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all mobile media devices are sufficiently encrypted and that staff are made aware of policies relating to the use and storage of personal data.

Reason for action

Although there was a legitimate reason for the data to be on a memory stick the one used was not an approved encrypted device.

When

22 November 2010

Links

View PDF of the Stoke-on-Trent City Council Undertaking (Via ICO Website)

View PDF of the Stoke-on-Trent City Council Undertaking (Breach Watch Archive)

Forth Valley NHS Board

What

Loss of sensitive personal information.

How much

Unknown.

Why

An unencrypted and non-password protected memory stick containing sensitive personal data was handing in to a newspaper.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any board issued portable media devices are sufficiently encrypted and that sufficient physical security measures are taken.

Reason for action

It was unclear how the memory stick ended up in the possession of the Newspaper, but it was unencrypted and not password protected.

When

30 September 2010

Links

View PDF of the Forth Valley NHS Board Undertaking (Via ICO Website)

View PDF of the Forth Valley NHS Board Undertaking (Breach Watch Archive)

East & North Hertfordshire NHS Trust

What

Loss of sensitive personal information.

How much

Unknown.

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller’s policy for the use of portable media and storage and use of personal media is clarified and all staff are made aware of its provisions .

Reason for action

The unencrypted USB stick had not been issued by the data controller.

When

20 September 2010

Links

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Via ICO Website)

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Breach Watch Archive)

London Borough of Barnet

What
Loss of sensitive personal information.

How much
Over 9,000 records.

Why
Theft of an encrypted laptop and unencrypted USB and CDs from an employee’s home.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are sufficiently encrypted and that staff are suitably trained in the data controller’s policies on data protection, which must be regularly monitored.  Finally the data controller shall agree to a further audit by the ICO within the current fiscal year, to ensure that the requirements of this undertaking are met.

Reason for action
The employee had downloaded the data into the unencrypted devices without authorisation, though enquires revealed that insufficient measures were in place to prevent staff from doing so.

When
15 June 2010

Links
View PDF of London Borough of Barnet Undertaking (Via ICO Website)

View PDF of London Borough of Barnet Undertaking (Breach Watch Archive)

West Berkshire Council

What

Loss of sensitive personal data.

How much

Unknown.

Why

Loss of an unencrypted USB stick containing sensitive personal data. This was the second data security incident reported by the data controller within 6 months.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices used to store sensitive personal data are encrypted to a sufficient standard.

Reason for action

The USB stick had been used in 2005 by a member of the data controller’s social work department and was not encrypted or password-protected. Although the data controller had provided encrypted USB sticks since 2006 it never required the return of previously used unencrypted media devices.

When

27 May 2010

Links

View PDF of West Berkshire Council’s Undertaking (Via ICO Website)

View PDF of West Berkshire Council’s Undertaking (Breach Watch Archive)