Who has breached the Data Protection Act in 2012? Find the complete list here.

So far 2012 has been a busy year for the Information Commissioners Office (ICO) and with almost three quarters of the year gone I thought I would look at who has fallen foul of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

In the near future I expect the proposed revised and consolidated European wide Data Protection Act to lead to more activity by the ICO, in the UK and across the other 27 member states. Read my summary of the propose European Data Protection Act here.

Below is a summary of the ICO’s activity in 2012 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 6 August 2012 A monetary penalty of £175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. Read the details here.
  • 12 July 2012 A monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
  • 5 July 2012 A monetary penalty notice of £150,000 has been served to Welcome Financial Services Limited following a serious breach of the Data Protection Act. The breach led to the personal data of more than half a million customers being lost.
  • 19 June 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.
  • 6 June 2012 A monetary penalty for £90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.
  • 1 June 2012 A monetary penalty notice for £325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010. Read the details here.
  • 21 May 2012 A monetary penalty notice for £90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. Read the details here.
  • 15 May 2012 A monetary penalty of £70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home. Read the details here.
  • 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report containing explicit details relating to a patient’s health – was sent to the wrong person. Read the details here.
  • 14 March 2012 A monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl. Read the details here.
  • 15 February 2012 A monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. Read the details here.
  • 13 February 2012 A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. View a PDF of the Croydon Council monetary penalty notice
  • 13 February 2012 A monetary penalty of £80,000 has been issued to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
  • 30 January 2012 A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read the details here.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 6 August 2012 An undertaking to comply with the seventh data protection principle has been signed by Marston Properties. This follows the loss of 37 staff members’ details when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
  • 13 July 2012 An undertaking to comply with the seventh data protection principle has been signed by West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees.
  • 26 June 2012 An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Police. This follows the inclusion of personal data relating to drug offences, in response to a Freedom of Information request made by a journalist.
  • 23 May 2012 An undertaking to comply with the seventh data protection principle has been signed by Holroyd Howe Independent Ltd. This follows the release of a document containing details of employees’ pay to a former employee.
  • 30 April 2012 An undertaking to comply with the seventh data protection principle has been signed by the Aneurin Bevan Health Board. This follows an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person. This breach was also the subject of a monetary penalty.
  • 25 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Safe and Secure Insurances Services Limited. This follows the purchase of a hard drive from the Internet which contained personal data relating to the company’s clients.
  • 18 April 2012 An Undertaking to comply with the seventh data protection principle has been signed by Brecon Beacons National Park Authority. This follows two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker’s home.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Toshiba Information Systems UK Ltd. This follows a web design error that created the potential for unauthorised access to individual’s personal data.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January 2011.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.
  • 27 March 2012 An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the premises were vacated. Read the details here.
  • 14 March 2012 An undertaking to comply with the seventh data protection principle has been signed by the Lancashire Constabulary. This follows the discovery of a missing person’s report on a street in Blackpool. A monetary penalty has also been issued to the authority in connection with this incident.
  • 9 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Enable Scotland (Leading the Way), after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by Durham University. This follows the disclosure of personal information in training materials published on its website.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.
  • 10 February 2012 Youth charity Fairbridge has signed an undertaking committing the organisation to taking action after the loss of two unencrypted laptops containing employee information.
  • 10 February 2012 Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users’ files during an office relation.
  • 10 February 2012 Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
  • 10 February 2012 Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • 10 February 2012 Brighton and Hove Council emailed the details of another member of staff’s annual salary – and the deductions made from this – to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee.
  • 10 February 2012 Undertakings have been signed by • Dacorum Borough Council • Bolton Council • Craven District Council
  • 3 February 2012 An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
  • 20 January 2012 An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spreadsheet containing 400 people’s personal details was accidentally emailed to 60 employees.
  • 18 January 2012 An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
  • 18 January 2012 Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.

Prosecutions:

  • 2 August 2012. Mohammed Ali Enayet, owner of The Lime Lounge in Cleveleys has been prosecuted by the ICO for failing to register his premises’ use of CCTV equipment.
  • 30 March 2012. SAI Property Investments Limited, trading as IPS Property Services and one of its directors Mr Punjab Sandhu unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
  • 27 February 2012. Pinchas Braun, a letting agent who unlawfully tried to obtain details about a tenant’s finances from the DWP has been found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
  • 12 January 2012. Juliah Kechil, formerly known as Merritt, a former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

The ICO is not just an enforcer, he offers advice too The Information Commissioner’s 5 Tips on how to better protect personal information .

The list was compiled on the 16th August 2012, updates will be added later so why not subscribe to the blog and automatically get the updates.

 

See Who breached the Data Protection Act in 2013? Find the complete list here.

, , , , , , , ,

  1. #1 by maxcantellow on 18/01/2014 - 3:53 pm

    Hi there,
    I am a Business Management student specialising in Marketing at Manchester University. I am currently attempting to write an essay for my exam on Monday in regards to confidentiality and the Data Protection Act 1998 (I stupidly enough thought I could do a Law module!) I wondered if you could help me gauge a greater understanding of how the DPA requires confidentiality?
    Which 2 clauses would you recommend to use in direct relation to confidentiality?

    I’ll put the question below for greater clarity

    The question is as follows:
    ———————————————————————————————————————–“When we don’t want someone to know the company has made a mistake, we just say, ‘it’s a Data Protection issue –we can’t disclose that information’ and they usually leave it” ( Anon, Call Centre Worker )

    Consider the statement above and other recent Data Protection investigations as you explain:
    (a) the confidentiality actually required under the Data Protection Act 1998;
    AND
    (b) whether the powers of the Information Commissioners Office regarding misuse of the Act are of practical use.
    ————————————————————————————————————————

    I am sure this is probably the strangest questions you have received, but it’s got to that stage of complete confusion where I just don’t have any clue where to start or what to write!

    Your sincerely,

    Max
    The Struggling 2nd Year Student

    Like

  2. #2 by troy chapel on 07/11/2013 - 3:43 pm

    Hi, recently I rented a flat via a lettings agency. I specifically said that I did not want my details passed to any utility or utility comparison sites, in person when signing the lease.

    A day after moving in I was telephoned by a utilities comparison company and my personal details (including DoB, mobile, address etc) was passed to three different companies who would then demand my DoB before speaking to me “for data protection” !!!

    What is the position relating to the estate agents, who verbally acknowledged their action?

    Like

  3. #3 by Mazie on 17/10/2013 - 6:38 pm

    Hi wondering can you advise? I recently went through a very embarrassing situation whereby a housing association I had previously rented a property from, sent a letter to my employer for my attention – the letter was opened by post room staff as they believed it to be a standard letter as there was nothing on letter stating confidential – the letter referred to legal proceedings, money owed, etc, I have found the whole process humiliating and unnecessary – I now have to pass these people daily knowing they know my personal private details and could disclose this information to other employees – I don’t understand why the letter was sent to me at work as I have never disclosed my employers details to them? Help

    Like

    • #4 by brianfpennington on 18/10/2013 - 9:28 am

      Hello,

      I am not a lawyer and my skills are more in the protection against things going wrong.

      However this is clearly an example of why the Data Protection Act was created.

      You should complain through the ICO here http://www.ico.org.uk/complaints/handling

      It is interesting that in recent time the Estate Agent/Letting industry was heavily criticised and several organisations were taken to task for not even registering that they are holding personal information.

      You may find the people in question have more than one question to answer.

      Good luck

      Like

  4. #5 by bex83 on 28/01/2013 - 5:59 pm

    Hi i am new here and in serious need of advice. My credit card provider sent a txt message with my card details and credit state to a friends mobile that i had previously used to make a payment. I have rang the company to complain and there attitude was atrocious, the best they could come up with was to remove the unauthorized number from my file and take off the £24 they were informing me off being over my credit limit. When i said i was not satisfied with this as it had caused me embarrassment and upset by breaching my data and breaking the data protection act, i was told my complaint was being passed up the chain further. I have since had a call from the complaints department saying that no txt was sent to the phone just an automated call. If any one could help on where i stand legally with this and how can this company get away with it as there seems to be no way that i can find at reporting this to some kind of data protection system.

    Like

    • #6 by brianfpennington on 28/01/2013 - 8:12 pm

      Hello, it is obviously difficult to give advice remotely because you need to speak to your credit card company and complain but they will be backed by various terms and conditions e.g. you probably accepted that when making a payment from the mobile it was yours, blah, blah, blah. However you do seem to be dealt with badly so I suggest you escalate your complaint and quote both the Data Protection Act and Payment Card Industry Compliance and they might deal with you on a reasonable level.

      Good luck

      Brian

      Like

  5. #7 by Babs on 10/01/2013 - 11:49 am

    Excellent article, many thanks!

    I am interested in the amounts of compensation though, is there any information to be had on this?

    If a person’s complete private data (DoB, social insurance no., address, email, tel no., employment details, etc.) were stolen from a previous employer, resulting in possible identity theft and misuse of said data, what on earth can one expect in compensation? What is one’s complete “life” data worth? Who will pay for the sleepless nights, the stomach ulcers and tension headaches that come with fear of abuse of this data?

    And how does one protect oneself from future criminal use of one’s data? Scary, to say the least :( If the courts go by “show me how much you’ve spent on medical treatment due to this!”, then I guess one’s data isn’t worth much.

    Like

    • #8 by brianfpennington on 13/01/2013 - 3:39 pm

      Hi, individual compensation is hard to find as it is often “out of court….” but once an organisation is found guilty they struggle to defend against compensation claims.

      Brian

      Like

  6. #9 by JJ O'Neill on 17/08/2012 - 11:25 am

    Hi Brian well all i can say and many thanks for your report and reply my eyes were opened. And roll on the new DP act when it comes not soon enough in my eyes. Amazing how it has took so long to get this far in security of as persons private details once again many thanks. and to think a lot of these people who have this data and lose it i can only think of an old chinese proverb (an empty sack will not stand up by itself) lol

    Like

  7. #10 by JJ O'Neill on 16/08/2012 - 1:35 pm

    The treasury maybe paying the fines imposed and compensation where it is due, but where do the treasury get most of there money from the hard Tax paying people of the uk

    Like

    • #11 by brianfpennington on 16/08/2012 - 2:20 pm

      Hi JJ,

      It is one of those conundrums. The ICO is a government agencies that in the main fines government departments for breaching an Act of Parliament. The government department being fined then have to pay the Treasury (government).

      It does appear that there is a lot of administration being done but in the defence of the process and the ICO there is no compulsory disclosure laws in place for commercial organisations which means they are probably hiding the problem or promising to spend loads of money fixing the issue.

      When the new Data Protection Act comes out it will be compulsory for all organisations to disclose a breach and then the fines will be a tax on businesses and not citizens.

      Like

  1. Cloud Security – Essentials Where is my data? article | Hackers about hacking techniques in our IT Security Magazine
  2. Who breached the Data Protection Act in 2013? Find the complete list here. | Brian Pennington
  3. Southampton Document Shredding - GHS Recycling
  4. Using Cloud Securely – What You Need to Know to Ask to Ensure a Safe Passage - Ian Moyse - Blogs - Cloud Services Community
  5. Cloudy data sovereignty in Europe (part two) - Cloud Gazette | Cloud Gazette
  6. Cloudy Data Sovereignty In Europe | Maildistiller
  7. Rubbish causes a breach of the Data Protection Act and a £250,000 fine « Brian Pennington
  8. An overview of EU security legislation and the impact of cyber incident reporting « Brian Pennington
  9. 65% of businesses do not protect their customers’ private data « Brian Pennington

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,496 other followers

%d bloggers like this: