The ICO has legal powers to ensure that organisations comply with the requirements of the Data Protection Act. It is important to note that these powers are focused on ensuring that organisations meet the obligations of the Act.
1 February 2010
The Information Commissioner’s Office has found the Association of Teachers and Lecturers (ATL) in breach of the Data Protection Act after a laptop and memory stick were reported lost or stolen, containing the personal details of over 6,000 union members. ATL General Secretary, Mary Bousted, has now signed an Undertaking to ensure that by 28 February 2010 all portable and mobile devices used to store and transmit personal details are encrypted.
View PDF of the Association of Teachers and Lecturers Undertaking
22 January 2010
Mark Hackett, the Chief Executive of Southampton University Hospitals NHS Trust, has made a formal commitment to improve data security after the Information Commissioner’s Office found SUHT in breach of the Data Protection Act.
View PDF of the Southampton University Hospitals NHS Trust Undertaking
18 January 2010
The Information Commissioner’s Office has found Lancashire County Council in breach of the Data Protection Act after social work records containing sensitive personal data relating to several individuals were found in a filing cabinet purchased second-hand by a member of the public. The Council has now signed an Undertaking promising to implement a formal written procedure for the removal or disposal of any office furniture or equipment.
View PDF of the Lancashire Country Council Undertaking
11 January 2010
The Information Commissioner’s Office has found Bellgrange Mortgages and Insurance Services Ltd in breach of the Data Protection Act after clients’ details were found in two large waste bins intended for the use of local residents. The organisation, based in Stanmore, has signed an official Undertaking to improve data security.
View PDF of the Bellgrange Mortgages and Insurance Services Ltd Undertaking
17 December 2009
The Information Commissioner’s Office has found Northern Ireland’s Department of Finance and Personnel in breach of the Data Protection Act after approximately 37,000 people’s personal details were stolen.
View PDF of the Department of Finance and Personnel Undertaking
17 December 2009
The Information Commissioner’s Office has found Shropshire Council in breach of the Data Protection Act following the loss of an unencrypted memory stick containing sensitive information relating to a large number of adult social care clients and members of staff.
View PDF of the Shropshire Council Undertaking
15 December 2009
A formal Undertaking has been signed by Waseley Hills High School and Sixth Form Centre committing it to take a number of steps to ensure that personal data is processed in compliance with the Data Protection Act. The Information Commissioner’s Office found it in breach of the Data Protection Act after the theft of personal data of over 1,000 pupils and staff.
View PDF of the Waseley Hills High School and Sixth Form Centre Undertaking
11 December 2009
A formal Undertaking has been signed by the Orbit Heart of England Housing Association after the Information Commissioner’s Office found them to be in breach of the Data Protection Act. 57 paper files containing personal data went missing during an office move. Forty-two of the files were recovered in full, but 15 which contain a significant amount of personal data relating to each tenant and, in some cases, members of his or her family, are still missing.
View PDF of the Orbit Heart of England Housing Association Undertaking
26 November 2009
A formal Undertaking has been signed by Verity Trustees Ltd after the Information Commissioner’s Office found them to be in breach of the Data Protection Act. The Trustees reported the theft of a laptop computer containing the names, addresses, dates of birth, salaries and national insurance numbers of around 110,000 individuals.
View PDF of the Verity Trustees Ltd Undertaking
13 November 2009
Formal Undertakings have been signed by Great Yarmouth and Waveney Primary Care Trust and Gloucestershire Primary Care Trust after the Information Commissioner’s Office found them in breach of the Data Protection Act.
View PDF of the Great Yarmouth and Waveney PCT Undertaking
View PDF of the Gloucestershire PCT Undertaking
10 November 2009
Maidstone and Tunbridge Wells NHS Trust has pledged to improve the security of patients’ personal information after the Information Commissioner’s Office found it in breach of the Data Protection Act. The Trust has signed an Undertaking declaring that any personal data held on a laptop computer or other removable media by the data controller will be identified and encrypted within 6 months.
View PDF of the Maidstone and Tunbridge Wells NHS Trust Undertaking
27 October 2009
Ashford and St Peter’s Hospitals NHS Trust has signed an Undertaking and agreed to improve data security after it informed the Information Commissioner’s Office of a data breach involving the loss or theft of three unencrypted USB sticks containing sensitive patient information. Each of the devices contained the full treatment and full diagnosis history relating to a number of cancer patients. The information on the USB sticks was in Word format - leaving the material easily accessible to anyone with a computer.
View PDF of the Ashford and St Peter’s Hospitals NHS Trust Undertaking
22 October 2009
Antony Sumara, the Chief Executive of Mid Staffordshire NHS Foundation Trust, has agreed to take action to comply with the Data Protection Act following a significant security breach. The breach occurred after a member of the Trust’s human resources team transferred personal information to a home computer. The information, known as a ‘Statement of Case’, contained sensitive personal details about an employee and two further documents. Some of the information related to the employee’s previous criminal conviction.
View PDF of the Mid Staffordshire NHS Foundation Trust Undertaking
14 September 2009
A formal Undertaking has been signed by Billing Pharmacy Ltd, agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted computer containing sensitive personal data for around 1,000 customers.
View PDF of the Billing Pharmacy Ltd Undertaking
A formal Undertaking has been signed by NHS Grampian, agreeing to comply with the seventh data protection principle. This follows several data security breaches there in the past few months.
View PDF of NHS Grampian’s Undertaking
8 September 2009
A formal Undertaking has been signed by NHS Education for Scotland, theft of an unencrypted laptop. The laptop contained the personal information of 6377 applicants for medical training positions.
View PDF of NHS Education for Scotland Undertaking
7 September 2009
A formal Undertaking has been signed by Ipswich Hospital NHS Trust, agreeing to comply with the seventh data protection principle. A ward summary list, containing patients’ personal data, was found outside the hospital premises. A similar incident had occurred in 2008, but some resulting recommendations had not been implemented.
View PDF of Ipswich Hospital NHS Trust’s Undertaking
4 September 2009
A formal undertaking has been signed by Sandwell Metropolitan Borough Council after an unencrypted memory stick was lost by an employee. The memory stick, which was not password protected, contained sensitive personal information relating to four families, including why children were taken into care or made subject to a Child Protection Plan.
View Sandwell Metropolitan Borough Council Undertaking
3 September 2009
Wigan Council has signed an Undertaking after the theft of a laptop computer containing personal information relating to approximately 43,000 children and young people. The laptop included personal details on most children and young people in Wigan’s schools. The information had been downloaded on to the laptop in breach of council policy.
View PDF of the Wigan Council Undertaking
21 August 2009
London Borough of Sutton has signed an Undertaking following an investigation by the ICO into several data security incidents. These included the loss of a paper file which contained personal data relating to 73 individuals receiving social care and the theft of two unencrypted laptops. A package of documents also went missing when a courier used by the council left it with the recipient’s neighbour.
View PDF of the London Borough of Sutton Undertaking
20 August 2009
A formal undertaking has been signed by Repair Management Services Ltd (formally MVRA), a trade body that provides advice to businesses involved in motor vehicle repair. It follows the theft of an unencrypted laptop containing the personal information of approximately 36,800 individuals. The laptop, which was stolen from a secure vehicle in a public car park, was password protected but unencrypted.
View PDF of the Repair Management Services Ltd Undertaking
14 August 2009
A formal undertaking has been signed by East Cheshire NHS Trust after pages from an Accident and Emergency register were found in a garden in Newcastle-under-Lyme. The pages contained sensitive personal data relating to the physical and mental health of over 60 patients. The loss followed an office move involving various departments of the Trust during which an external company was hired, without a written contract, to clear out rubbish from the old premises.
View PDF of the East Cheshire NHS Trust Undertaking
12 August 2009
A formal undertaking has been signed by Dr Paul Thomas of the Gipping Valley Practice, Ipswich, agreeing to comply with the seventh data protection principle. This follows the discovery of a Practice server found in the car park of the Practice by an employee of the Suffolk Primary Care Trust. The server contained the sensitive personal data of a large number of Practice patients and the personal data of Practice employees.
View PDF of the Dr Paul Thomas Undertaking
A formal undertaking has been signed by UPS Limited, following a breach of the Data Protection Act last year. An unencrypted password-protected laptop was stolen from one of UPS’s employees while on business abroad in October 2008. The laptop, which was not recovered, contained the payroll data of approximately 9,150 UK based UPS employees.
View PDF of the UPS Limited Undertaking
4 August 2009
The Information Commissioner’s Office has served Enforcement Notices on 14 construction firms following breaches of the Data Protection Act. Some organisations paid thousands of pounds to unfairly obtain personal information about construction workers.
The firms are: Balfour Beatty Civil Engineering Limited; Balfour Beatty Construction Northern Limited; Balfour Beatty Construction Scottish & Southern Limited; Balfour Beatty Engineering Services (HY) Limited; Balfour Beatty Engineering Services Limited; Balfour Beatty Infrastructure Services limited; CB&I UK Limited; Emcor Engineering Services Limited; Emcor Rail Limited; Kier Limited; NG Bailey Limited; Shepherd Engineering Services Limited; SIAS Building Services Limited; Whessoe Oil & Gas Limited.
View PDF of the Balfour Beatty Civil Engineering Limited Enforcement Notice
View PDF of the Balfour Beatty Construction Northern Limited Enforcement Notice
View PDF of the Balfour Beatty Construction Scottish & Southern Limited Enforcement Notice
View PDF of the Balfour Beatty Engineering Services (HY) Limited Enforcement Notice
View PDF of the Balfour Beatty Engineering Services Limited Enforcement Notice
View PDF of the Balfour Beatty Infrastructure Services Limited Enforcement Notice
View PDF of the CB&I UK Limited Enforcement Notice
View PDF of the Emcor Engineering Services Limited Enforcement Notice
View PDF of the Emcor Rail Limited Enforcement Notice
View PDF of the Kier Limited Enforcement Notice
View PDF of the NG Bailey Limited Enforcement Notice
View PDF of the Shepherd Engineering Services Limited Enforcement Notice
View PDF of the SIAS Building Services Limited Enforcement Notice
View PDF of the Whessoe Oil & Gas Limited Enforcement Notice
28 July 2009
A formal Undertaking has been signed by Imperial College Healthcare NHS Trust at St Mary's Hospital, South Wharf Road, London, agreeing to comply with the seventh data protection principle. This follows the theft of six unencrypted laptop computers (two incidents) and the loss of a small number of paper records which, in total, contained personal data relating to some 6,000 of the Trust's patients.
A formal undertaking has been signed by NHS Lothian agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted memory stick and some paper files temporarily left in a shop.
A formal undertaking has been signed by London Clubs International Limited agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted laptop containing the data of approximately 26,000 customers.
View PDF of the Imperial College Undertaking
View PDF of the NHS Lothian Undertaking
View PDF of the London Clubs International Limited Undertaking
23 July 2009
A formal undertaking has been signed by Neath Port Talbot County Borough Council agreeing to comply with the seventh data protection principle. This follows the loss of a memory stick containing information relating to 65 children.
View PDF of the Neath Port Talbot County Borough Council Undertaking
22 July 2009
A formal undertaking has been signed by The Highland Council agreeing to comply with the seventh data protection principle. This follows the theft of two laptop computers from the authority’s premises in Inverness.
View PDF of the The Highland Council Undertaking
14 July 2009
A formal undertaking has been signed by Chelsea & Westminster Hospital NHS Foundation Trust agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted USB memory stick containing personal data relating to 143 of the Trust’s patients.
A formal Undertaking has been signed by Epsom & St Helier University Hospitals NHS Trust of Wrythe Lane, Carshalton, Sutton, SM5 1AA, agreeing to comply with the seventh data protection principle. This follows the discovery of the insecure storage of hospital records, relating to a large number of the Trust's patients.
A second formal undertaking has been signed by The Hampshire Partnership NHS Trust, agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted laptop computer, containing the personal data of 349 patients and 258 members of staff, from a Trust employee who attended a conference at a London hotel.
A formal undertaking has been signed by The Royal Free Hampstead NHS Trust agreeing to comply with the seventh data protection principle. This follows the loss of an unencrypted computer disk containing personal data relating to some of the Trust’s patients.
A formal undertaking has been signed by Surrey and Sussex Healthcare NHS Trust agreeing to comply with the seventh data protection principle. This follows the loss a ward hand over sheet and the theft of two unencrypted laptop computers containing personal data relating to 23 and up to 80 of the Trust’s patients respectively.
View PDF of the Chelsea & Westminster Hospital NHS Foundation Trust Undertaking
View PDF of the Epsom & St Helier University Hospitals NHS Trust Undertaking
View PDF of The Hampshire Partnership NHS Trust Undertaking
View PDF of The Royal Free Hampstead NHS Trust Undertaking
View PDF of The Surrey and Sussex Healthcare NHS Trust Undertaking
7 July 2009
A formal Undertaking has been signed by Jubilee Managing Agency Limited, agreeing to comply with the fifth and seventh data protection principles. This follows the loss of an unencrypted disk containing personal data, including financial details, relating to 2100 policyholders. Some of the data also related to cancelled or expired policies.
View PDF of Jubilee Managing Agency Limited’s undertaking.
16 June 2009
A formal undertaking has been signed by Manchester City Council, agreeing to comply with the seventh data protection principle. This follows the loss of a laptop computer containing personal data relating to 1,754 school-based staff from the internal audit office at the Town Hall last October.
View PDF of the Manchester City Council Undertaking.
9 June 2009
A formal Undertaking has been signed by Amicus Legal Ltd of Colchester, agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted laptop computer, which was owned by a consultant contracted to Amicus Legal Ltd, containing personal data relating to some 100,000 of the company's clients.
View PDF of the Amicus Legal Limited Undertaking.
4 June 2009
A formal undertaking has been signed by Salford Royal NHS Foundation Trust agreeing to comply with the seventh data protection principle. This follows the theft of a desktop computer containing the personal data of approximately 3500 of the Trust’s patients.
View PDF of Salford Royal NHS Foundation Trust's Undertaking.
22 May 2009
A formal undertaking has been signed by First Response Finance Ltd agreeing to comply with the first and third data protection principles. This follows a compaint regarding a form asking an employer for excessive details, the form has now been changed.
View PDF of the First Response Finance Ltd Undertaking.
12 May 2009
A formal undertaking has been signed by Leicester City Council, agreeing to comply with the seventh data protection principle. This follows the loss of an unencrypted memory stick containing sensitive personal data relating to children at a Council-run nursery.
View PDF of Leicester City Council’s undertaking.
30 April 2009
Cambridge University Hospital NHS Foundation Trust, Central Lancashire Primary Care Trust, North West London Hospitals NHS Trust and Hull & East Yorkshire Hospitals NHS Trust have all signed formal Undertakings outlining that they will process personal information in line with the Data Protection Act. The organisations will implement a number of security measures to protect personal information more effectively. With immediate effect, all portable and mobile devices used to store and transmit personal data must be encrypted.
View PDF of the Cambridge University Hospital NHS Foundation Trust undertaking
View PDF of the Central Lancashire Primary Care Trust undertaking
View PDF of the North West London Hospitals NHS Trust undertaking
View PDF of the Hull & East Yorkshire Hospitals NHS Trust undertaking.
30 April 2009
A formal undertaking has been signed by Doncaster Primary Care Trust agreeing to comply with the seventh data protection principle. This follows the unauthorised removal of an obsolete out of hours GP service voice recording server that held the personal data of patients of the data controller. The server, which held 220000 clinical voice records, was later returned and it seems unlikely that the records were accessed.
View PDF of the Doncaster Primary Care Trust undertaking
30 April 2009
A formal undertaking has been signed by Leasowes Community College agreeing to comply with the seventh data protection principle. This follows the loss of an unencrypted USB memory stick containing the personal data of 1500 college pupils. The memory stick, which had been used in breach of college policy, was later recovered after being found by a member of the public.
View PDF of the Leasowes Community College undertaking
21 April 2009
A formal undertaking has been signed by The University of Manchester, agreeing to comply with the seventh data protection principle. This follows the accidental publication of a computerised spreadsheet which contained the personal data of some 1,755 students. The data was emailed in error to some 469 students.
View PDF of the University of Manchester undertaking
17 April 2009
A formal undertaking has been signed by The British Council, agreeing to comply with the seventh data protection principle. This follows the loss, in transit, of an unencrypted computer data storage disc which contained the personal details of some 2,000 staff of the British Council.
View PDF of the British Council undertaking
27 March 2009
A formal undertaking has been signed by St Georges Healthcare NHS Trust, agreeing to comply with the seventh data protection principle. This follows the theft of laptop computers containing the personal data of approximately 22000 of the Trust’s patients.
View PDF of the St Georges Healthcare NHS Trust undertaking
25 March 2009
A formal undertaking has been signed by Stockport NHS Foundation Trust, agreeing to comply with the seventh data protection principle. This follows the theft of a laptop computer containing the personal data of 1588 of the Trust’s patients.
View PDF of the Stockport NHS Foundation Trust undertaking
24 March 2009
A formal undertaking has been signed by 2gether NHS Foundation Trust, agreeing to comply with the seventh data protection principle. This follows the theft of a laptop computer and a memory stick containing the personal data of 56 of the Trust’s patients.
View PDF of the 2gether NHS Foundation Trust undertaking
23 March 2009
The Information Commissioner’s Office has issued an Enforcement Notice against Camden Primary Care Trust (PCT) following a breach of the Data Protection Act. Computers containing 2,500 individuals’ names, addresses and medical diagnoses were left beside a skip inside the grounds of St. Pancras Hospital in August 2008.
View PDF of the Camden Primary Care Trust Enforcement Notice
6 March 2009
The ICO has today issued an Enforcement Notice against Mr Ian Kerr trading as The Consulting Association. This follows an ICO investigation that uncovered a database held by The Consulting Association containing personal details on 3,213 construction workers. The details were used by over 40 construction companies to vet individuals for employment.
View PDF of the Consulting Association Enforcement Notice
13 February 2009
A formal undertaking has been signed by Hastings and Rother Primary Care Trust, agreeing to comply with the seventh data protection principle. This follows the theft of a desktop computer containing the personal data of a number of the Trust’s patients.
View PDF of the Hastings and Rother Primary Care Trust undertaking
5 February 2009
A formal undertaking has been signed by Brent Teaching Primary Care Trust, agreeing to comply with the seventh data protection principle. This follows the theft of two unencrypted laptop computers containing the personal data of 389 of the Trust’s patients.
View PDF of the Brent Teaching Primary Care Trust undertaking
22 January 2009
The ICO has required the Home Office to sign a formal undertaking after a contractor employed by the Home Office, PA Consulting, lost an unencrypted memory stick holding sensitive personal details of thousands of individuals in August 2008. The Undertaking has been signed on behalf of the Home Office by Sir David Normington, the Permanent Secretary.
A formal undertaking has been signed by Abertawe Bro Morgannwg University NHS Trust, agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted laptop computer containing the personal data of more approximately 5000 of the Trust’s patients.
The Information Commissioner's Office has required the Tees Esk and Wear Valleys NHS Foundation Trust to sign a formal undertaking after finding the organisation in breach of the Data Protection Act 1998. The data breach involved an incident which resulted in the loss of an unencrypted data stick, by a contractor, with various patient and staff personal data on it. A member of the public found the data stick which was later returned to the Trust.
View PDF of the Home Office undertaking
View PDF of the Abertawe Bro Morgannwg University NHS Trust undertaking
View PDF of the Tees Esk and Wear Valleys NHS Foundation Trust undertaking
20 January 2009
The Information Commissioner's Office has required Hampshire Partnership NHS Trust and Southampton City PCT to sign formal undertakings after finding the organisations in breach of the Data Protection Act 1998. The data breaches involved an incident which resulted in the loss of payslips containing employee personal data from both trusts.
View PDF of the Hampshire Partnership NHS Trust undertaking
View PDF of the Southampton City PCT undertaking
18 December 2008
The Information Commissioner's Office has found Leonard Cheshire Disability in breach of the Data Protection Act. This follows their failure to adequately respond to a subject access request made by one of their service users. The ICO has issued Leonard Cheshire Disability with an Enforcement Notice which requires them to comply with the subject access request. Leonard Cheshire Disability have now complied with this Enforcement Notice.
View PDF of the Leonard Cheshire Disability Enforcement Notice
26 November 2008
The Information Commissioner’s Office has required NHS Tayside and NHS Lanarkshire to sign formal undertakings after finding the organisations in breach of the Data Protection Act. The ICO was alerted to data breaches earlier this year when members of the public found confidential health records in buildings on the site of the former hospitals.
View PDF of the NHS Tayside undertaking
View PDF of the NHS Lanarkshire undertaking
30 September 2008
A formal undertaking has been signed by Virgin Media Limited, agreeing to comply with the seventh data protection principle. This follows the loss of an unencrypted compact disc containing the personal data of more than 3000 Virgin Media customers.
View PDF of the Virgin Media undertaking
25 September 2008
The Information Commissioners Office is today serving an Enforcement Notice against the Department of Communities and Local Government for contravening the Data Protection Act 1998 in relation to their response to a subject access request received by them.
View PDF of the Department of Communities and Local Government Enforcement Notice
15 July 2008
The The Information Commissioner’s Office is today serving enforcement notices against HM Revenue and Customs and the Ministry of Defence following recent high profile data breaches.
View PDF of the HMRC Enforcement Notice
View PDF of the MoD Enforcement Notice
14 July 2008
The Commissioner has cancelled the Enforcement Notice dated 23 January 2008 served on Marks and Spencer PLC following receipt of a letter dated 8 July 2008 confirming that they have now completed the process of laptop hard drive encryption required by the Enforcement Notice.
View PDF of letter from Marks and Spencer PLC dated 8 July 2008 and Cancellation Notice dated 14 July 2008
10 April 2008
A formal undertaking has been signed by the Royal British Legion Club in Shirley, West Midlands, agreeing to comply with the seventh data protection principle, in accordance with their procedures.
View PDF of the Royal British Legion Club undertaking
22 February 2008
The ICO investigation into complaints against Loans.co.uk has completed. Appropriate regulatory action has been taken and an ex-employee of the company has been formally cautioned for a criminal offence of unlawful disclosure of personal data contrary to section 55 of the Data Protection Act 1998.
21 February 2008
The Information Commissioner's Office has found Skipton Financial Services in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 14,000 SFS customers.
View PDF of the Skipton Financial Services undertaking
25 January 2008
The Information Commissioner's Office has found Marks & Spencer PLC in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees. The ICO has now issued Marks & Spencer with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April 2008.
View PDF of the Marks & Spencer Enforcement Notice
16 January 2008
The ICO has found Carphone Warehouse, and its sister company TalkTalk, in breach of the Data Protection Act after investigating complaints concerning the way in which both organisations processed and stored personal information.
View PDF of the Carphone Warehouse Enforcement Notice
View PDF of the TalkTalk Telecom Enforcement Notice