Sandwell Metropolitan Borough Council

What
Loss of sensitive personal data.

How much
About four records.

Why
An unencrypted memory stick containing data relating to children in care was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices are encrypted to a suitable standard. Staff must be made aware of the data controller’s policy for the storage and use of personal data and be appropriately trained to follow that policy.

Reason for action
Sensitive data was transferred to the memory stick in breach of Council procedure and was not password protected. The employee intended to use the data to work at home, but lost it during his commute.

When
29 July 2009

Links
View PDF of the Sandwell Metropolitan Borough Council Undertaking (Breach Watch Archive)

Chelsea & Westminster Hospital

What
Loss of sensitive personal data.

How much
143 records.

Why
An unencrypted memory stick containing patient information was stolen from an unattended and unlocked office being used for a walk in clinic.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The disc was not encrypted and in fact was not even password protected The employee was not aware that secure network drive and encryption facilities were available and had used a personal memory stick since Trust equipment was not available.

When
2 June 2009

Links
View PDF of the Chelsea & Westminster Hospital Undertaking (Breach Watch Archive)

Leicester City Council

What
Loss of sensitive personal data.

How much
About 80 records.

Why
An unencrypted USB memory stick containing data relating to about 80 children was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Staff must be suitable trained in these internal policies and sufficient supervisory checks must be put into place to ensure adherence.

Reason for action
The storage of personal data on an unencrypted USB stick was contrary to council policies and procedures, which required all such devices to be purchasing centrally through its IT department and encrypted.

When
7 May 2009

Links
View PDF of the Leicester City Council Undertaking (Breach Watch Archive)

Leasowes Community College

What
Loss of sensitive personal data.

How much
About 1,500 records.

Why
A unencrypted USB memory stick containing the personal data of pupils was found by a member of the public.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all storage devices must be sufficiently encrypted. All staff must receive adequate training in order to fulfil their obligations under such a policy.

Reason for action
The USB stick was of poor quality and unencrypted. It does not appear to have been missed and adequate relevant policies and staff training were not in place.

When
20 April 2009

Links
View PDF of the Leasowes Community College Undertaking (Breach Watch Archive)

Central Lancashire Primary Care Trust

What
Loss of sensitive personal data.

How much
6,360 records.

Why
An encrypted memory stick containing data relating to medical treatment was lost by a member of staff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed and that mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the loss of the data in question. The memory stick had a “Post it” sticker adhered to it containing the applicable password for the use of the stick.

When
8 April 2009

Links
View PDF of the Central Lancashire Primary Care Trust Undertaking (Breach Watch Archive)

Cambridge University Hospitals NHS Foundation Trust

What
Loss of sensitive personal data.

How much
741 records.

Why
An unencrypted memory stick containing the personal data of patients was left unattended in a car and found by a car wash attended to was able to access the device and establish its ownership.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed by the Trust. Mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the unauthorised transfer of data onto a non-trust owned, unencrypted memory stick.

When
03 April 2009

Links
View PDF of the Cambridge University Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

2gether NHS Foundation Trust

What
Loss of sensitive personal data.

How much
56 records.

Why
Four desktop computers, one laptop and a memory stick  containing sensitive personal data relating to patients were stolen from a locked room in the Trust’s building.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented  All staff must receive adequate data protection training.

Reason for action
The laptop and memory stick were not encrypted, or locked away out of site, contrary to Trust policy.

When
24 March 2009

Links
View PDF of the 2gether NHS Foundation Trust Undertaking (Breach Watch Archive)