UK: Five councils, a youth charity, and a healthcare provider sign undertakings following data breaches
Five councils breached the Data Protection Act by failing to keep people’s personal information secure, Information Commissioner, Christopher Graham, said today:
Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing. The Council has signed an undertaking committing them to take action to address the problems highlighted in each incident.
Meanwhile, in July 2011, an employee of Brighton and Hove Council emailed the details of another member of staff’s personal data to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee. The Council has now committed to ensuring that the personal information they process is secure, including making sure that all portable devices used to store personal data are encrypted.
Corrective undertakings have also been signed by Dacorum Borough Council, Bolton Council and Craven District Council.
The Dacorum breach had been reported in the media after the theft at Bennetts End Adventure Playground. The undertaking provides some details about the types of data involved:
The Information Commissioner (the “Commissioner”) was notified that between 12 August 2011 and 14 August 2011 a computer hard drive containing sensitive personal data was stolen from an adventure playground following a burglary. The computer contained approximately 1000 registration documents of children who have attended the playground. The details included name, address, date of birth, school attended, and in some cases a ‘tick-box’ indication as to whether the data subject had any allergies or other conditions relevant to playground attendance
The Commissioner’s enquiries revealed that the registration documents were stored on the desktop and were not password protected. The password that had protected the registration document was removed in 2008 when a member of staff left the Council and was not restored.
One of the two Bolton Council breaches from last summer had also been reported in the media, but belatedly – if it’s even the same breach that had been mentioned in December media coverage. From the undertaking:
In July 2011, the Information Commissioner (the “Commissioner”) received a report from the data controller about the theft of a rucksack from a keyworker’s car. The bag contained hard copy documentation that featured various types of sensitive personal data relating to several individuals. A second incident was also reported at the same time involving an email sent in error to several hundred people, all of whom either worked for, or with, the data controller. Attached to the email was a completed occupational health form for one employee.
The rest of the breaches seem to have flown under the media radar, including an incident that resulted in Craven District Council signing an undertaking after the theft of a laptop containing unencrypted data on 2,300 people:
The Information Commissioner (the “Commissioner”) was informed by the Council of the theft of an unencrypted laptop containing a database with child swimming lesson details for 2300 individuals. The information was not of a nature that would be defined as sensitive personal data in the Act.
The laptop was stolen from a ground level office at the Aireville Swimming Pool, Skipton. This office is protected by several security devices and the police attended the scene within minutes of the office being entered. However the intruder was able to immediately remove the laptop and escape just as the police arrived. This was because the laptop had been left unsecured on a desk in a position where it could be seen from outside the office.
As well as the five local authorities, undertakings for youth charity Fairbridge and healthcare provider Turning Point were also published today. In the Fairbridge matter, the undertaking was signed after two separate incidents where laptops with unencrypted employee data were lost by employees who had taken them outside of the office premises. In the Turning Point case, an undertaking was signed after two incidents involving loss of patient records during office relocations.