UK: ICO announces two undertakings following theft of sensitive personal data
The Information Commissioner’s Office announced two undertakings today.
The first, involving Western Health & Social Care Trust follows two incidents. One incident concerned the theft of two computers from Trust premises during a burglary on October 8, 2013. The computer contained sensitive personal data relating to the provision of specialist mental health services by a retired employee. Although investigation determined that the information had been deleted from the desktop, there was a risk it could still be retrieved from the hard drive. So there was unencrypted information that could have: (1) been stored offline, and (2) the Trust could have more securely deleted the sensitive information. 1
The second incident was reported to the ICO in June 2014 after photocopied medical records disclosed to an individual in response to a subject access request (SAR) contained information about two other patients.
You can read the Western Health & Social Care Trust undertaking here (pdf).
The ICO also announced an undertaking had been signed by Rochdale Borough Council. The ICO had been contacted by a member of the public that the individual had found social care papers in a public place. The paper files had been held in a cotton bag and had been stolen from the boot of a social worker’s car between the evening of 5 January and the morning of 6 January 2014. The papers contained personal data relating to 86 individuals. Sensitive personal data, including health, mental health, and sexual offence data was included in the files of 29 of those individuals. On investigation, the ICO determined that the social care worker had violated policy by removing too much information from the office, and, also importantly, had never received data protection training, despite having worked for the council for 18 months by the time of the incident.