As we are about to enter 2013 I thought it would be a good time to publish the entire list of who fell foul of the UK Data Protection Act and were punished by the Information Commissioner (ICO) during 2012.

There are three types of punishments administered by the ICO

1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

Find out who got the record fine

Below is a summary of the ICO’s activity in 2012 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are paid to HM Treasury and not to the ICO. Many argue that the ICO would be a stronger body if it had more money and penalties is a good way to generate more revenue – a self funding government department.

• 12 December 2012 A monetary penalty has been served to London Borough of Lewisham after a social worker left sensitive documents in a plastic shopping bag on a train, after taking them home to work on. The files, which were later recovered from the rail company’s lost property office, included GP and police reports and allegations of sexual abuse and neglect.
• 10 December 2012 A monetary penalty has been served to Devon County Council after a social worker used a previous case as a template for an adoption panel report they were writing, but a copy of the old report was sent out instead of the new one.  The mistake revealed personal data of 22 people, including details of alleged criminal offences and mental and physical health.
• 28 November 2012 A monetary penalty has been served to Christopher Niebel and Gary McNeish, the joint owners of Tetrus Telecoms. The company had sent millions of unlawful spam texts to the public over the past three years.
• 22 November 2012 A monetary penalty has been served to Plymouth City Council for a serious breach of the seventh data protection principle. A social worker sent part of a report relating to family A, to family B due to printing issues. The photocopied report contained confidential and highly sensitive personal data relating to the two parents and their four children, including of allegations of child neglect in on-going care proceedings.
• 16 November 2012 A monetary penalty has been issued to Leeds City Council following an incident whereby sensitive personal data relating to a child was sent to an incorrect individual.
• 6 November 2012 A monetary penalty of £50,000 was issued to Prudential after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account.
• 25 October 2012 A monetary penalty of £120,000 was issued to Stoke-on-Trent City Council following a serious breach of the Data Protection Act that led to sensitive information about a child protection legal case being emailed to the wrong person.
• 16 October 2012 A monetary penalty of £150,000 was issued to Greater Manchester Police after the theft of a memory stick containing sensitive personal data from an officer’s home. The device, which had no password protection, contained details of more than a thousand people with links to serious crime investigations.
• 10 October 2012 A monetary penalty of £70,000 was issued to Norwood Ravenswood Ltd after highly sensitive information about the care of four young children was lost after being left outside a London home.
• 11 September 2012 A monetary penalty of £250,000 was issued to Scottish Borders Council after former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park.
• 6 August 2012 A monetary penalty of £175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. Read the details here.
• 12 July 2012 A monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
• 5 July 2012 A monetary penalty notice of £150,000 has been served to Welcome Financial Services Limited following a serious breach of the Data Protection Act. The breach led to the personal data of more than half a million customers being lost.
• 19 June 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.
• 6 June 2012 A monetary penalty for £90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.
• 1 June 2012 A monetary penalty notice for £325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010. Read the details here.
• 21 May 2012 A monetary penalty notice for £90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. Read the details here.
• 15 May 2012 A monetary penalty of £70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home. Read the details here.
• 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report containing explicit details relating to a patient’s health – was sent to the wrong person. Read the details here.
• 14 March 2012 A monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl. Read the details here.
• 15 February 2012 A monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. Read the details here.
• 13 February 2012 A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. View a PDF of the Croydon Council monetary penalty notice
• 13 February 2012 A monetary penalty of £80,000 has been issued to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
• 30 January 2012 A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read the details here.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

• 20 December 2012 An undertaking to comply with the seventh data protection principle has been signed by Isle of Anglesey County Council.
• 30 November 2012 An undertaking to comply with the seventh data protection principle has been signed by Leeds City Council. This follows a report made by the council that that a private area on the Leeds Initiative website was accessible to members of the public
• 6 August 2012 An undertaking to comply with the seventh data protection principle has been signed by Marston Properties. This follows the loss of 37 staff members’ details when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
• 13 July 2012 An undertaking to comply with the seventh data protection principle has been signed by West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees.
• 26 June 2012 An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Police. This follows the inclusion of personal data relating to drug offences, in response to a Freedom of Information request made by a journalist.
• 23 May 2012 An undertaking to comply with the seventh data protection principle has been signed by Holroyd Howe Independent Ltd. This follows the release of a document containing details of employees’ pay to a former employee.
• 30 April 2012 An undertaking to comply with the seventh data protection principle has been signed by the Aneurin Bevan Health Board. This follows an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person. This breach was also the subject of a monetary penalty.
• 25 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Safe and Secure Insurances Services Limited. This follows the purchase of a hard drive from the Internet which contained personal data relating to the company’s clients.
• 18 April 2012 An Undertaking to comply with the seventh data protection principle has been signed by Brecon Beacons National Park Authority. This follows two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
• 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker’s home.
• 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Toshiba Information Systems UK Ltd. This follows a web design error that created the potential for unauthorised access to individual’s personal data.
• 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January 2011.
• 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.
• 27 March 2012 An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the premises were vacated. Read the details here.
• 14 March 2012 An undertaking to comply with the seventh data protection principle has been signed by the Lancashire Constabulary. This follows the discovery of a missing person’s report on a street in Blackpool. A monetary penalty has also been issued to the authority in connection with this incident.
• 9 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Enable Scotland (Leading the Way), after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
• 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data.
• 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by Durham University. This follows the disclosure of personal information in training materials published on its website.
• 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
• 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.
• 10 February 2012 Youth charity Fairbridge has signed an undertaking committing the organisation to taking action after the loss of two unencrypted laptops containing employee information.
• 10 February 2012 Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users’ files during an office relation.
• 10 February 2012 Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
• 10 February 2012 Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
• 10 February 2012 Brighton and Hove Council emailed the details of another member of staff’s annual salary – and the deductions made from this – to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee.
• 10 February 2012 Undertakings have been signed by • Dacorum Borough Council • Bolton Council • Craven District Council
• 3 February 2012 An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
• 20 January 2012 An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spread sheet containing 400 people’s personal details was accidentally emailed to 60 employees.
• 18 January 2012 An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
• 18 January 2012 Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.

Prosecutions

• 13 December 2012 Christopher Niebel and Gary McNeish, joint owners of Tetrus Telecoms, have been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. The defendants pleaded guilty at two separate hearings and were fined £3000 which was reduced to £2000 in both cases due to an early guilty plea. Niebel and McNeish were each ordered to pay prosecution costs of £482.50 and a £15 victims surcharge. The conviction comes after Niebel and McNeish were served with monetary penalties totalling £440,000 for a serious breach of the Privacy and Electronic Communications Regulations (PECR) after the company they owned sent millions of spam texts to members of the public without their consent.
• 28 November 2012 A London barrister has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Jeanette Hayne pleaded guilty at the hearing on 28 November 2012 but Westminster Magistrates decided to dispose of the case by way of an absolute discharge owing to particular mitigating circumstances. Concluding the hearing, the magistrate warned that those whose profession is to prosecute people for failing to comply with the law must meet their legal obligations
• 2 August 2012 Mohammed Ali Enayet, owner of The Lime Lounge in Cleveleys has been prosecuted by the ICO for failing to register his premises’ use of CCTV equipment.
• 30 March 2012 SAI Property Investments Limited, trading as IPS Property Services and one of its directors Mr Punjab Sandhu unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
• 27 February 2012 Pinchas Braun, a letting agent who unlawfully tried to obtain details about a tenant’s finances from the DWP has been found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
• 12 January 2012 Juliah Kechil, formerly known as Merritt, a former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

The ICO is not just an enforcer, he offers advice too The Information Commissioner’s 5 Tips on how to better protect personal information .