UK: ICO reveals four new undertakings following data breaches
From the ICO:
Durham University breached the Data Protection Act after disclosing personal information in training materials published on its website, the Information Commissioner’s Office (ICO) said today.
The personal data was contained in screenshots used to demonstrate the use of particular University systems and included details such as names, addresses and dates of birth of up to 177 former students and staff. The information – which had not been anonymised – was made available on the University’s website in February 2011. The University discovered the error in July 2011 and removed the material before reporting the matter to the ICO.
The university signed an undertaking to take corrective and preventive action.
While that was the only breach that seemed to merit its own press release, other undertakings were also disclosed today:
Community Integrated Care, a national social care charity signed an undertaking following the theft of an unencrypted laptop containing personal and sensitive personal data. The laptop, a router and printer were stolen in June 2011 from a locked ground floor office in the Newcastle area. The laptop contained personal data relating to 20 employees, as well as limited sensitive personal data relating to 20 young service users, including name, school and abbreviated details of their physical and mental disabilities.
The undertaking signed by London Borough of Croydon was also posted. Croydon had previously been fined £100,000 over the incident, which occurred when a social worker lost a bag in a pub. The bag contained papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
Dr Pervinder Sanghera of Arthur House Dental Care signed an undertaking following the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice. The memory stick had been used as a backup when the practice’s existing backup failed, and had been taken home at times. There is no report that the practice knew the memory stick was missing (or even when it went missing) until someone sent the stick to the ICO’s office in July 2011. The stick had been found in a public place.
So, seriously….. were there no breaches in the business sector that were reported or required undertakings? With all of the hacks going on worldwide, were no entities in the U.K. hacked due to inadequate security that would require an undertaking? Or is that a different agency’s responsibility?