Tag Archives: Data Protection Act

Citizens Advice Bureau Leaks Data Online

A Citizen Advice Bureau (CAB) branch in Newcastle is now being investigated by the Information Commissioner’s Office (ICO) after confidential data was accidentally leaked online.

It has been reported that 1,300 internal files were published online. The files that contained data belonging to its customers contained information such as customer names, addresses, debt history and criminal records. Some of the files also contained information about staff log in details to the CAB main website. To make things more embarrassing for the CAB branch, letters declaring that their information would be handled confidentially were also included.

The Newcastle CAB branch has started the process of notifying the affected people whilst the investigation continues.

Shona Alexander who is the chief executive of the Newcastle branch stated, “This isolated incident at Newcastle CAB is being thoroughly investigated. I’d like to reassure people that, because we take data protection extremely seriously, they can speak to us in total confidence. All Newcastle CAB staff and volunteers are fully trained in information assurance. The ICO are aware of this incident and we are working with them, as well as the senior information risk owner at Citizens Advice, taking urgent action to contact anyone who may have been affected by this incident and fully resolving any issue.”

Steve Whitehaed who is the senior information risk owner stated, “The Citizens Advice service has stringent data protection measures and highly secure systems in place to keep client and customer data safe. Incidents of this kind should never occur – we are working with Newcastle CAB while they investigate and resolve this isolated incident.”

The ICO have confirmed that they are investigating the issue to see if they deem the incident as being a data protection breach.

A spokesman from the ICO stated, “We have recently been made aware of a possible data breach which may involve the Newcastle Citizens Advice Bureau. We will be making inquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

This latest incident proves that companies are still making mistakes when dealing with confidential data which could have severe consequences if it was to fall into the wrong hands. It is time that companies start to educate their staff in data protection and have procedures in place to ensure that the rules and regulations are adhered too so incidents such as this one do not occur again.

Do you feel that companies are doing enough to protect confidential data?

ICO hit NHS with a £90,000 fine

The Central London Community Healthcare NHS Trust has become the latest victim of the Information Commissioners Office (ICO) who has imposed an eye watering £90,000 fine after a series of breaches of the Data Protection Act was eventually brought to their attention.

The data breach occurred over a three month period where roughly 45 faxes which contained confidential data belonging to patients were accidentally sent to the wrong person. The Central London Community Healthcare NHS Trust meant to fax the patient lists to St John’s Hospice. These patient lists contained information which related to 59 people and their diagnoses, their domestic situation and resuscitation instructions.

After a three month period of receiving these patient lists, the individual who had been receiving them eventually told Blighty’s health service. The individual stated that they have been receiving these patient lists and that they had shredded them to ensure that the information didn’t go any further.

ICO head of enforcement Stephen Eckersley has commented on this case. Eckersley stated, “Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying.”

This is the latest case where the ICO have had to conduct an investigation because of a number of errors. Firstly, The Central London Community Healthcare NHS Trust didn’t have stringent enough measures in place to stop such an error occurring. Secondly, the staff hadn’t been adequately trained on data protection. These two factors combined are the main reason for the ICO imposing the hefty fine.

The trend of confidential data being compromised by people working in the public sector is set to continue as it is very evident that there are still members of staff who haven’t been appropriately trained on data protection. Yet again, this case suggests that we are still acting reactively and not proactively. The need for more stringent measures to be implemented and all members of staff to be adequately trained in data protection is increasing day by day as the implications become more severe if appropriate measures are not in place.

Leicestershire County Council Escape Fine after Data Loss

The Information Commissioner’s Office (ICO) has completed their investigation into a case where a Leicestershire County Council employee lost confidential data belonging to 18 children. Strict data protection laws had been broken and this case could have been prevented if the regulatory laws had been adhered too. The ICO have been critical of Leicestershire County Council but there have been no indication that they impose a fine.

The main role of the ICO is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals in the UK. The ICO can impose a fine of up to £500,000.00 for any serious breach of the Data Protection Act.

Leicestershire County Council initially got into trouble when a social worker took home some confidential court documents in May last year.  These documents were left in a briefcase in the social worker’s home during the night rather than in a secure location in the house. The social worker had obtained permission to take the documents home but they hadn’t received the relevant data protection training and therefore appropriate procedures were not followed. The social worker’s house was broken into that night and the burglar stole the briefcase with the documents inside. If the social worker had received the data protection training, they would have known that the documents should have been kept in a secure location in the house, preferably under lock and key.

Stephen Eckersley, The ICO’s head of enforcements claimed, “While Leicestershire County Council already recognised the risks associated with home working and had produced guidance for their staff, the guidance did not explain how papers containing personal information should be kept secure.”

Eckersley later argued, “Local authorities must recognise social workers are handling some of the most sensitive information available. The fact this information often relates to vulnerable young children means it is all the more important for these organisations to provide staff with adequate training and guidance on how to keep this information secure.”

A County Hall spokesman has responded to this outcome stating, “The county council takes data security extremely seriously. As soon as it became aware a briefcase had been stolen from a social worker’s house, the Information Commissioner was informed. We already have comprehensive information security arrangements in place and constantly explore how we can improve these. This case has led us to reorganise our priorities.”

The County Hall spokesman later added, “We have made it clear staff should not take confidential documents home unless it is absolutely necessary for their work and they have their manager’s permission. If they do take documents home, they must lock them in a secure place.”

This latest case of data loss suggests that many people are still acting reactively towards data loss incidents and not proactively. Surely questions should remain why the social worker was allowed to take the confidential court documents home in the first place as they hadn’t even received the relevant data protection training.

University of York publishes personal records of 148 students online

The University of York could face legal action following the publication of personal records relating to a number of students. A full investigation to how the details were made available is underway and the Information Commissioners Office (ICO) has also been informed about the leak.

A statement on the University of York website fully details the breach and offers support to those affected. According to the website, this week 148 student records were made available to anyone without the need for any authorisation though a web page off the site itself.

The students effected had their personal information published which included name, date of birth, gender, home and emergency contact – including addresses. Also available were the student’s course details, department, course tutor, year of study and their entrance qualifications.

The university has contacted all those affected, offering a full apology, support and has acknowledged a review of its data management, stating: “We are investigating all procedures and data management systems and will undertake a thorough review of our data security arrangements. Results of this investigation, and recommendations from our Internal Auditors, will be used to make any necessary improvements to how we handle data in the future”.

Following an investigation by the ICO, if it is found to have been in breach of the Data Protection Act 1998, the University could face legal action and fine. Serious breaches of the Act can lead to the ICO handing fines of up to £500,000.

Wolverhampton Data Dump

Wolverhampton City Council has proven its surprisingly complacent approach to disposing of sensitive data, as well as its apparent disregard for the privacy of the inhabitants within the area.

Documents containing medical records, employment statuses and bank details were fly tipped after being disposed around the back of a leisure centre, in a skip! The skip was later stolen and perhaps luckily the documents it contained discarded.

A subsequent investigation by the ICO revealed no surprises then by finding that the council was in breach of the Data Protection Act.

A relatively large understatement was released by the Chief of Operations for Wolverhampton, Simon Entwisle “The breach demonstrated how important it is that staff who handle data have a good understanding of the need to keep it safe at all times.”

It is appalling that data is still treated in such as haphazard way after there have been so many mistakes in the past. Previously for example the records of 25 million people were lost in the post. It is good that the ICO is efficient at recognising such data breaches – but there should be much harsher punishment for those in breach.

However since, Chief Executive Simon Warren has been made to sign a disclosure stating that he will ensure staff are properly trained in the future, in how to dispose of sensitive public data.

“The thought of people’s data being dumped on the street is worrying enough, not to mention what could have happened if it had fallen into the wrong hands. I am pleased that the council has taken the necessary steps to ensure that this type of breach does not happen again.”

Passport Service breaches Data Protection Act

The Information Commissioners Office (ICO) has released details of a data breach involving the Identity and Passport Service (IPS). In May 2010 the personal details of 21 applicants, along with their counter signatories, went missing, contravening the Data Protection Act.

Despite processing more than 25 million applications in the last five years, a spokesman for the IPS said they had already carried out a full internal review of security and had cancelled the application information as soon as it learnt of the breach. It was hoped this hadn’t led to any further risk to the applicants or subjected them to identity fraud.

The Chief Executive of the IPS has signed an undertaking to implement a number of measures to prevent this type of breach happening again. It states all those affected by the breach were informed, offered new passports and no complaints were received to the IPS.

Mick Gorrel from the ICO says “A passport is an important identification document and it is clearly of concern that information relating to renewal applications has been lost. However, there is no evidence to suggest that the applications have fallen into the wrong hands and we are pleased that the Identity and Passport Service is taking steps to stop this happening again.”

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal