There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller.
The tools are not mutually exclusive. We will use them in combination where justified by the circumstances.
The main options are:
- serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
- issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
- serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
- conduct consensual assessments (audits) to check organisations are complying;
- serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice (data protection only);
- issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010 or serious breaches of the Privacy and Electronic Communications Regulations;
-
prosecute those who commit criminal offences under the Act; and
- report to Parliament on data protection issues of concern.
Appeals from notices are heard by the First–tier Tribunal (Information Rights), part of the General Regulatory Chamber (GRC). The First–tier Tribunal (Information Rights) specifically hears appeals of enforcement notices, decision notices and information notices issued by the Information Commissioner. The GRC brings together a range of previously separate tribunals that hear appeals on regulatory issues.
View the Data Protection Regulatory Action Policy
View the Assessment Notices Code of Practice
View the Monetary Penalties guidance
View our statement on enforcing the revised Privacy and Electronic Communications Regulations
Prosecutions
16 December 2011
A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act.
View the news release
10 November 2011
A former gambling industry worker who unlawfully obtained and sold personal data relating to over 65,000 online bingo players has pleaded guilty to committing three offences under section 55 of the Data Protection Act.
View the news release
13 September 2011
A bank cashier yesterday pleaded guilty to using her position to access illegally the personal details of a sex attack victim. The cashier’s husband had been convicted of carrying out the attack and was serving time in jail.
View the news release
10 June 2011
Two former employees of UK mobile operator T-Mobile who illegally stole and sold select customer data from the company in 2008 have been ordered to pay a total of £73,700 in confiscation orders and costs as part of a hearing at Chester Crown Court.
View the news release
1 June 2011
A personal injury claims company employee has been prosecuted for illegally obtaining NHS patients’ information.
View the news release
Monetary penalty notices
A monetary penalty will only be appropriate in the most serious situations. When deciding the amount of a monetary penalty, the Commissioner not only takes into account the seriousness of the breach but also other factors including the size, financial and other resources of a data controller. It is not the purpose of a monetary penalty to impose undue financial hardship. The amount must not exceed £500,000 and is not kept by the Commissioner, but paid into the Consolidated Fund owned by HM Treasury.
30 January 2012
A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland.
View a PDF of the Midlothian Council monetary penalty notice
6 December 2011
A monetary penalty of £130,000 was issued to Powys County Council for a serious breach of the Data Protection Act after the details of a child protection case were sent to the wrong recipient.
View a PDF of the Powys County Council monetary penalty notice
28 November 2011
A monetary penalty of £60,000 was issued to North Somerset Council for a serious breach of the Data Protection Act where a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.
View a PDF of the North Somerset Council monetary penalty notice
A monetary penalty of £80,000 was issued to Worcestershire County Council for an incident where a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients.
View a PDF of the Worcestershire County Council monetary penalty notice
9 June 2011
A monetary penalty of £120,000 was issued to Surrey County Council for a serious breach of the Data Protection Act after sensitive personal information was emailed to the wrong recipients on three separate occasions.
View a PDF of the Surrey County Council monetary penalty notice
10 May 2011
A monetary penalty of £1,000 was issued to Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law, for failing to keep sensitive personal information relating to around 6,000 people secure.
View PDF of the ACS Law monetary penalty notice
8 February 2011
A monetary penalty of £80,000 was issued to Ealing Council following the loss of an unencrypted laptop which contained personal information. Ealing Council breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies.
View PDF of the Ealing Council monetary penalty notice
A monetary penalty of £70,000 was issued to Hounslow Council following the loss of an unencrypted laptop which contained personal information. Hounslow Council breached the Act by failing to have a written contract in place with Ealing Council. Hounslow Council also did not monitor Ealing Council’s procedures for operating the service securely.
View PDF of the Hounslow Council monetary penalty notice
22 November 2010
A monetary penalty of £60,000 was issued to employment services company A4e Limited for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
View PDF of the A4e monetary penalty notice
A monetary penalty of £100,000 was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.
View PDF of the Hertfordshire County Council monetary penalty notice
Undertakings
3 February 2012
An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
View the E*Trade Securities Ltd undertaking
20 January 2012
An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spreadsheet containing 400 people’s personal details was accidentally emailed to 60 employees.
View the Manpower UK Ltd undertaking
18 January 2012
An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
View the Chartered Institute of Public Relations undertaking
Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.
View the Praxis Care Limited undertaking
6 December 2011
An undertaking to comply with the seventh principle of the DPA has been signed by Alan M Casson & Associates, after two unencrypted laptops and back up media had been stolen during a burglary of their premises. The laptops contained personal data relating to 8000 current and past patients.
View the Alan M Casson & Associates undertaking
An undertaking to comply with the seventh principle of the DPA has been signed by the Principal of Godalming College, after the ICO was notified that an email with an attachment containing sensitive personal data had been sent inadvertently to lower-sixth form students. The email should have been sent to their tutors and the sender had not intended to send the attachment, but merely a link to it.
View the Godalming College undertaking
An undertaking to comply with the seventh principle of the DPA has been signed by Richard Dominic Preston following the theft of a laptop computer from Mr Preston's home address. The laptop contained documents relating to cases on which Mr Preston had been instructed, together with email correspondence.
View the Richard Dominic Preston undertaking
21 November 2011
An undertaking to comply with the seventh principle of the DPA has been signed by The London Borough of Southwark, further to the inappropriate disposal personal of an iMac computer and paper records. The matter was brought to the attention of the ICO when the afore mentioned items were found by a member of the public in a skip being used to cleanse a decommissioned and vacant property, which was part of a complex previously owned by the data controller. A substantial volume of sensitive personal data relating to around 7,200 individuals was contained on the iMac and within the paper records detailing ethnicity, medical history and criminal convictions.
View the London Borough of Southwark undertaking
An undertaking has been signed by Central Essex Community Services after the loss of a birth book containing information about the general health of 249 mothers and their babies. The book – which should have been stored in a locked filing cabinet – was stored on top of the cabinet in a locked room due to no secure storage space being available. The book has never been recovered.
View the Central Essex Community Services undertaking
16 November 2011
An undertaking to comply with the seventh principle of the DPA has been signed by Ruth Crawford QC, further to the theft of an unencrypted laptop computer which contained the sensitive personal data of a number of individuals who were involved in cases on which the data controller was instructed to act.
View the undertaking signed by Ruth Crawford QC
An undertaking to comply with the seventh principle of the DPA has been signed by Phoenix Nursey School, further to the loss of a backup tape and accompanying device which contained details of pupils, parents and guardians as held on the school’s information management system. Consideration was given to the fact that a nominal amount of the data lost in this incident consisted of information as to the physical or mental health of the data subjects.
View the Phoenix Nursey School undertaking
15 November 2011
An undertaking to comply with the seventh data protection principle has been signed by Oliver Letwin MP. Following the disposal of a number of documents containing personal data in public waste-bins.
View the Oliver Letwin MP undertaking
3 November 2011
An undertaking to comply with the seventh data protection principle has been signed by the chief executive of Rochdale Metropolitan Borough Council. This follows an incident earlier this year in which an unencrypted USB stick containing some personal data relating to thousands of local residents was lost.
View the Rochdale Metropolitan Borough Council undertaking
28 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Newcastle Youth Offending Team. This follows the theft of an unencrypted laptop containing sensitive personal data.
View the Newcastle Youth Offending Team undertaking
27 October 2011
An Undertaking to comply with the seventh data protection principle has been signed by University Hospitals Coventry & Warwickshire NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.
View the University Hospitals Coventry & Warwickshire NHS Trust undertaking
19 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Spectrum Housing Group. This follows a non-secure e-mail with an excel attachment containing personal data relating to employees of the data controller, being sent in error to an unintended recipient outside of the organisation. It was also discovered that data within ‘hidden’ pivot cells forming part of the spreadsheet could be revealed.
View the Spectrum Housing Group undertaking
17 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Dumfries and Galloway Council. This follows the accidental online disclosure of current and former employee’s personal data in response to a Freedom of Information (Scotland) Act request.
View the Dumfries and Galloway Council undertaking
5 October 2011
An undertaking to comply with the seventh data protection principle has been signed by the General Secretary of the Association of School and College Leaders (ASCL). This follows theft of a laptop containing sensitive personal data from the home of an employee.
View the ASCL undertaking
An undertaking to comply with the seventh data protection principle has been signed by Holly Park School. This follows the theft of an unencrypted laptop containing personal data relating to nine pupils.
View the Holly Park School undertaking
4 October 2011
An undertaking has been signed by Dartford and Gravesham NHS Trust following the accidental destruction of 10,000 archived records. The records – which should have been kept in a dedicated storage area –were put in a disposal room due to lack of space.
View the Dartford and Gravesham NHS Trust undertaking
An undertaking has also been signed by Poole Hospital NHS Foundation Trust after two diaries – containing information relating to the care of 240 midwifery patients - were stolen from a nurse’s car. The diaries included patients’ names, addresses and details of previous visits and were used by the nurse during out of hours duty.
View the Poole Hospital NHS Foundation Trust undertaking
20 September 2011
An undertaking to comply with the third and seventh data protection principles has been signed by Eastleigh Borough Council. This follows the potential disclosure of a document containing sensitive personal data.
View the Eastleigh Borough Council undertaking
15 September 2011
An undertaking to comply with the seventh data protection principle has been signed by the Child Exploitation Online Protection Centre (CEOP) and its parent organisation the Serious Organised Crime Agency (SOCA). This follows the discovery that CEOP’s website reporting forms were being transmitted insecurely.
View the joint undertaking
An undertaking to comply with the seventh data protection principle has been signed by Royal Liverpool & Broadgreen University Hospitals NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.
View the Royal Liverpool & Broadgreen University Hospitals NHS Trust undertaking
14 September 2011
An Undertaking to comply with the seventh data protection principle has been signed by Eastern and Coastal Kent Primary Care Trust. This follows the loss of a CD containing personal data during a move of office premises.
View the Eastern and Coastal Kent Primary Care Trust undertaking
9 September 2011
An undertaking to comply with the seventh data protection principle has been signed by Walsall Council. This follows the accidental disposal of postal vote statements in a skip by the council’s data processor. The council did not have a written agreement with the data processor selected to store this personal data.
View the Walsall Council undertaking
7 September 2011
An undertaking to comply with the seventh data protection principle has been signed by London Ambulance Service NHS Trust. This follows the theft of a personal unencrypted laptop containing patient data.
View the London Ambulance Service NHS Trust undertaking
An undertaking to comply with the seventh data protection principle has been signed by University Hospital of South Manchester NHS Foundation Trust. This follows the loss of an unencrypted memory stick containing personal information relating to approximately 87 patients.
View the University Hospital of South Manchester NHS Foundation Trust undertaking
2 September 2011
An undertaking to comply with the seventh data protection principle has been signed by the Scottish Children’s Reporter Administration. This follows the sending of an email containing sensitive personal data relating to a child’s court hearing to an unknown third party and the temporary loss of 9 case files relating to the safety and welfare of children during an office move.
View the Scottish Children’s Reporter Administration undertaking
An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council. This follows a self reported breach concerning a flaw in the encryption function of a number of Council issue memory sticks. The flaw could allow memory sticks to be formatted removing encryption protection.
View the Luton Borough Council undertaking
10 August 2011
An undertaking to comply with the seventh principle of the DPA has been signed by the London Borough of Greenwich. This follows two incidents where sensitive personal data was inadvertently disclosed, due to the Council's failure to implement appropriate wording in their ICT policy, stating that the sending of sensitive personal data in business related emails to external webmail addresses should be avoided.
View the London Borough of Greenwich undertaking here
9 August 2011
An Undertaking to comply with the seventh data protection principle has been signed by Lush Cosmetics Ltd. This follows a malicious intrusion on their website which compromised approximately 5000 customer credit cards.
View the Lush Cosmetics Ltd undertaking here
8 August 2011
An undertaking to comply with the seventh data protection principle has been signed by Bay House School after the personal details of nearly 20,000 individuals, including some 7,600 pupils, were put at risk during a hacking attack on its website.
View the Bay House School undertaking here
5 August 2011
An undertaking to comply with the seventh data protection principle has been signed by HCA International Limited. This follows the theft of two unencrypted laptops containing sensitive personal data from one of the group’s hospitals in March.
View the HCA International undertaking here
4 August 2011
An undertaking to comply with the seventh data protection principle has been signed by the Chief Executives of Lewisham Council and Wandle Housing Association. This follows the discovery of an unencrypted USB stick containing thousands of tenant records and financial data in a London pub.
View the Lewisham Council undertaking
View the Wandle Housing Association undertaking
29 July 2011
An undertaking to comply with the seventh data protection principle has been signed by Kirklees Metropolitan Council. This follows the inappropriate disclosure of personal data by care workers contracted by Kirklees Metropolitan Council.
View the Kirklees Metropolitan Council undertaking
20 July 2011
An undertaking to comply with the seventh data protection principle has been signed by the University of York after it failed to close a test area on its website that contained thousands of students’ personal details. While no direct link was available for the test area from the University’s website, 148 records were inappropriately accessed.
View the University of York undertaking
19 July 2011
An undertaking to comply with the seventh data protection principle has been signed by Lancashire Police Authority (LPA). This follows the inappropriate disclosure of personal data on the LPA’s website containing sensitive personal data.
View the Lancashire Police Authority undertaking
18 July 2011
An undertaking to comply with the seventh data protection principle has been signed by Northamptonshire Healthcare NHS Foundation Trust. This follows the loss of one individual’s medical records.
View the Northamptonshire Healthcare NHS Foundation Trust undertaking
5 July 2011
An undertaking to comply with the seventh data protection principle has been signed by Ms Raisa Saley, Barrister at law, further to the loss of a bundle of court papers which continaed a considerable voulme of sensitive personal data relating to a number of individuals from the same family.
View the Ms Raisa Saley undertaking
1 July 2011
An undertaking to comply with the seventh data protection principle has been signed by Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient.
View the Basildon and Thurrock University Hospitals NHS Foundation Trust undertaking
An undertaking to comply with the seventh principle of the DPA has been signed by Dunelm Medical Practice, further to the inappropriate facsimilie transmission and subsequent disclosure of two patient's electronic discharge letters, which contained sensitive personal data, including medical information.
View the Dunelm Medical Practice undertaking
An undertaking to comply with the seventh data protection principle has been signed by East Midlands Ambulance Service NHS Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient..
View the East Midlands Ambulance Service NHS Trust undertaking
An undertaking to comply with the seventh data protection principle has been signed by the Ipswich Hospital NHS Trust. This follows the discovery of 29 patient records containing sensitive personal data in a public place.
View the Ipswich Hospital NHS Trust undertaking
An undertaking to comply with the seventh data protection principle has been signed by Lancashire Teaching Hospitals NHS Foundation Trust. This follows the faxing of sensitive personal data to a member of the public on more than one occasion.
View the Lancashire Teaching Hospitals NHS Foundation Trust undertaking
28 June 2011
An undertaking to comply with the seventh data protection principle has been signed by Cherubs Community Playgroup. This follows the theft of an unencrypted laptop containing personal information relating to approximately 47 families.
View the Cherubs Community Playgroup undertaking
14 June 2011
An undertaking to comply with the seventh data protection principle has been signed by CCTV monitoring website Internet Eyes Limited. This follows a complaint about a clip posted on video sharing website YouTube that contained an identifiable image of a person in a shop. The clip appeared to have been uploaded by a viewer who had used the CCTV footage streamed to their computer from the Internet Eyes website.
View the Internet Eyes undertaking
An undertaking to comply with the seventh data protection principle has been signed by Surbiton Children’s Centre Nursery. This follows the theft of a teacher’s bag containing an unencrypted memory stick and paperwork.
View the Surbiton Children’s Centre Nursery undertaking
8 June 2011
An undertaking to comply with the seventh data protection principle has been signed by North Lanarkshire Council. This follows the theft of hard copy documents containing sensitive personal data.
View the North Lanarkshire Council undertaking here
27 May 2011
An undertaking to comply with the seventh data protection principle has been signed by the charity Asperger’s Children & Carers Together (ACCT). This follows the theft of an unencrypted laptop containing sensitive personal data last Christmas.
View the ACCT undertaking
An undertaking to comply with the seventh data protection principle has been signed by Wheelbase Motor Project. This follows the theft of an unencrypted portable hard drive storing sensitive personal data concerning 50 individuals.
View the Wheelbase Motor Project undertaking
26 May 2011
An undertaking to comply with the seventh principle of the DPA has been signed by Co-operative Life Planning Limited, further to the inappropriate disclosure of an electronic file, which contained a considerable volume of customer's personal data.
View the Co-operative Life Planning Limited undertaking
13 May 2011
An undertaking to comply with the seventh data protection principle has been signed by Somerset County Council. This is a result of a teenager’s social care records having been sent to the wrong family.
View PDF of the Somerset County Council undertaking
21 April 2011
An undertaking to comply with the seventh data protection principle has been signed by Freehold Community School. This follows the theft of an unencrypted laptop and paperwork containing personal information relating to 90 pupils from a teacher’s car.
View the Freehold Community School undertaking
20 April 2011
An undertaking to comply with the seventh data protection principle has been signed by NHS Birmingham East and North. This follows the discovery that Trust employees could access electronic files unrelated to the department they worked in.
View the NHS Birmingham East and North undertaking
19 April 2011
An undertaking to comply with the seventh principle of the DPA has been signed by Norwich City College of Further and Higher Education, detailing two instances, where a total of 80 student files, some of which contained sensitive personal data including medical information, were inappropriately disposed of.
View the Norwich City College of Further and Higher Education undertaking
An undertaking to comply with the seventh data protection principle has been signed by the Borough of Poole. The Council reported that faxes had been sent to the wrong number on three occasions last year.
View the Borough of Poole undertaking
An undertaking to comply with the seventh data protection principle has been signed by University College London Hospitals NHS Foundation Trust. This follows the discovery of an unencrypted memory stick off Trust premises. The memory stick contained sensitive personal data relating to 750 Trust patients.
View the University College London Hospitals NHS Foundation Trust undertaking
11 April 2011
NHS Liverpool Community Health has signed an undertaking after it breached the Data Protection Act (DPA) by losing papers relating to the medical history of 31 children and their birth mothers during a premises move in October last year. The ICO’s investigation found that NHS Liverpool had no formal contract in place with the removal company to handle personal data - a requirement of the Act - and had no process in place to ensure personal data was kept secure throughout the move.
View a PDF of the NHS Liverpool Community Health undertaking here
In a separate incident, the ICO has also found the Council for Healthcare Regulatory Excellence (CHRE) in breach of the Act after the possible loss of documents from complaint review files containing sensitive personal data. However due to weaknesses in CHRE’s document recording, administration and communication processes the organisation cannot be certain if the information was ever received or whether it was subsequently lost or destroyed.
View a PDF of the CHRE undertaking here
5 April 2011
An undertaking to comply with the seventh principle of the DPA has been signed by City of York Council, further to the inappropriate disclosure of an individual’s personal data, which occurred as a result of the information in question being errouneously included with documentation sent to an unrelated third party.
View a PDF of the City of York Council undertaking here
4 April 2011
An undertaking to comply with the seventh data protection principle has been signed by Royal Cornwall Hospitals NHS Trust. This follows the inappropriate disclosure of third party sensitive personal data on two occasions, in response to a subject access request.
View a PDF of the Royal Cornwall Hospitals NHS Trust undertaking here
1 April 2011
An undertaking to comply with the seventh data protection principle has been signed by Warrington and Halton Hospitals NHS Foundation Trust. This follows the theft on an unencrypted laptop containing sensitive personal data relating to 110 patients.
View a PDF of the Warrington and Halton Hospitals NHS Foundation Trust undertaking here
23 March 2011
An undertaking to comply with the seventh data protection principle has been signed by Ms Phillimore, a barrister. This follows Ms Phillimore leaving a file containing sensitive personal data in an unattended motor vehicle, from which the file was stolen.
View a PDF of Ms Phillimore’s undertaking here
15 March 2011
An undertaking to comply with the seventh data protection principle has been signed by Wolverhampton City Council. This follows a report in the press about the theft of a skip and the subsequent fly tipping of its contents. The skip contained personal data including bank details, employment records and medical information. The data was traced back to a local community leisure centre. The council confirms that leisure centre staff should not have disposed of personal data in a skip. The information has now been securely destroyed.
View a PDF of the Wolverhampton City Council undertaking
25 February 2011
An undertaking to comply with the seventh data protection principle has been signed by Doncaster Metropolitan Borough Council. This follows the disclosure of third party data by the council during court proceedings.
View a PDF of the Doncaster Metropolitan Borough Council undertaking
24 February 2011
An undertaking to comply with the seventh data protection principle has been signed by Aramark Ltd. This follows the theft of an unencrypted laptop and paperwork containing employees’ personal data.
View a PDF of the Aramark Ltd undertaking
23 February 2011
An undertaking to comply with the seventh data protection principle has been signed by Cambridgeshire County Council. This follows the loss of an unencrypted memory stick containing sensitive personal data.
View PDF of the Cambridgeshire County Council undertaking
21 February 2011
The Identity and Passport Service has signed an undertaking which commits the organisation to taking remedial action after the ICO found it in breach of the Data Protection Act for losing the passport renewal applications of 21 individuals.
View PDF of the Identity and Passport Service undertaking
18 February 2011
An undertaking to comply with the seventh data protection principle has been signed by Isle of Anglesey County Council. This follows the mailing of housing and council tax benefit letters containing financial personal data to the wrong recipients. The council did not have a written agreement in place with the data processor selected to distribute the letters on its behalf. See the text of the undertaking here.
View PDF of the Isle of Anglesey County Council undertaking
11 February 2011
Gwent Police has signed an undertaking which commits the organisation to taking remedial action after the ICO found it in breach of the Data Protection Act for accidentally emailing results of Criminal Reference Bureau (CRB) checks performed by the force to a member of the public.
View PDF of the Gwent Police undertaking
21 January 2011
NHS Blood and Transplant has signed an undertaking which commits the organisation to being more robust in checking information is accurate. This follows the discovery that organ donation preferences of 444,031 people were recorded inaccurately on the Organ Donation Register, which is managed by NHS Blood and Transplant, due to a software error.
View PDF of the NHS Blood and Transplant undertaking
5 January 2011
A formal undertaking has been signed by the Scottish Court Service. Following a newspaper report about a data breach by the Court Service, the ICO discovered that papers containing personal information had been lost by the editor of a series of law reports. The court service had failed to check how this individual intended to keep the information secure.
View PDF of the Scottish Court Service undertaking
22 November 2010
A formal undertaking has been signed by Stoke-on-Trent City Council, agreeing to comply with the seventh data protection principle. This follows the discovery of an unencrypted social services memory stick in Hanley containing information about 40 children.
View PDF of the Stoke-on-Trent City Council undertaking
19 November 2010
Senior Vice President of Google, Alan Eustace, has signed an undertaking on behalf of Google Inc. which commits the company to putting into place improved training measures on security awareness and data protection issues for all employees. The company has also said it will require its engineers to maintain a privacy design document for every new project before it is launched. The payload data that Google inadvertently collected in the UK will also be deleted.
View PDF of the Google undertaking
12 November 2010
A formal undertaking has been signed by Andrew McDonald, CEO of the Independent Parliamentary Standards Authority (IPSA), agreeing to comply with the seventh data protection principle. This follows an internal database being left insecure for a period of some 21 hours following IT maintenance. The insecurity resulted in the potential compromise of personal data relating to 332 MPs.
View PDF of the IPSA undertaking
11 November 2010
An undertaking to comply with the seventh data protection principle has been signed by the Rainforest Alliance Ltd. This follows the theft of an unencrypted laptop holding personal and financial data relating to employees and job applicants.
View a PDF of the Rainforest Alliance undertaking
2 November 2010
A formal undertaking has been signed by Portsmouth City Council following the inappropriate disclosure of personal information relating to an individual’s physical and mental health. The council failed to redact documents correctly in a subject access request and so accidentally disclosed information about another individual.
View a PDF of the Portsmouth City Council undertaking
19 October 2010
An undertaking to comply with the seventh data protection principle has been signed by the Lord Chief Justice of Northern Ireland. This follows the inappropriate disclosure of personal data in an email from his office earlier this year.
View a PDF of the Lord Chief Justice’s Office (Northern Ireland) undertaking
19 October 2010
The Chief Executive of the North West London Hospitals NHS Trust has signal a formal undertaking after a doctor left medical information about 56 patients on a tube train.
View a PDF of the North West London Hospitals NHS Trust undertaking
14 October 2010
A formal undertaking has been signed by Healthcare Locums Plc (HCL). A hard drive containing doctors’ security clearance and visa information had been sold on an auction website before being returned to HCL.
View a PDF of the Healthcare Locums Plc undertaking
30 September 2010
A formal undertaking has been signed by Forth Valley NHS Board. The Information Commissioner’s Office was informed that an unencrypted memory stick with no password protection and containing personal information held by the Board had been handed in to the press.
View a PDF of the Forth Valley NHS Board undertaking
20 September 2010
A formal undertaking has been signed by East & North Hertfordshire NHS Trust after an unencrypted USB stick containing sensitive personal data was lost by a member of staff on a train journey.
View a PDF of the East & North Hertfordshire NHS Trust undertaking
26 August 2010
A formal undertaking has been signed by Yorkshire Building Society (YBS), after an unencrypted laptop belonging to the former Chelsea Building Society (CBS), which had recently merged with YBS, was stolen from its Cheltenham premises. The laptop contained a substantial part of the CBS customer database.
View a PDF of the YBS undertaking
25 August 2010
A formal undertaking has been signed by DSG Retail, following the discovery of customers’ credit agreements in or near a skip at one of the company’s PC World stores. The documents related to transactions made two years prior and had been kept beyond the period recommended by DSG’s policies for holding personal data.
View a PDF of the DSG Retail undertaking
24 August 2010
A formal undertaking has been signed by Royal Wolverhampton Hospitals NHS Trust after the loss of over 100 of its patient records. The The Information Commissioner’s Office was alerted to the loss of a CD which contained scans of 112 patient records from the Intensive Care Unit of New Cross Hospital’s Heart and Lung Unit. The CD was discovered at a bus stop near the hospital and was unencrypted with no password protection.
View PDF of the Royal Wolverhampton Hospitals NHS Trust undertaking
19 August 2010
A formal undertaking has been signed by Tunbridge Wells Equitable Friendly Society Limited trading as The Children's Mutual, after an annual account statement containing confidential personal data was sent in error to the wrong recipient.
View PDF of The Children's Mutual undertaking
14 July 2010
A formal undertaking has been signed by Birmingham Children’s Hospital NHS Foundation Trust, agreeing to comply with the seventh data protection principle. This follows the loss of two unencrypted laptops which were stolen from the Medical Day Centre, containing sensitive personal data relating to a number of the Trust’s patients.
View PDF of the Birmingham Children’s Hospital Hospitals NHS Trust undertaking
8 July 2010
The ICO has taken action against the London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council for breaching the Data Protection Act. A systemic lack of staff training on how to handle personal information has led to the loss of sensitive personal information relating to thousands of children.
View PDF of the London Borough of Barnet undertaking
View PDF of the West Sussex County Council undertaking
View PDF of the Buckinghamshire County Council undertaking
18 June 2010
Adrian Leppard, temporary Chief Constable of Kent Police, has now signed a formal undertaking to ensure that staff whose roles require them to have access to confidential information outside the office are provided with secure transportation and storage facilities.
View PDF of the Kent Police undertaking
15 June 2010
Basingstoke and North Hampshire NHS Trust has signed a formal undertaking after an excel spreadsheet, containing 917 patients’ pathology results, was emailed via an unsecure address to another department. The spreadsheet was not password protected and the receiving department had no business need to have access to the excessive amount of clinical records.
View PDF of the Basingstoke and North Hampshire NHS Trust undertaking
NHS Stoke-on-Trent has signed a formal undertaking after 2,000 paper physiotherapy records were not filed within its archive system and may have accidentally been destroyed or misfiled. The organisation will apply physical security measures in respect of paper medical records, particularly when they are in transit.
View PDF of the NHS Stoke-on-Trent undertaking
3 June 2010
Dr Rowena Mathew, Head of Practice of Lampeter Medical Practice, has signed a formal undertaking after an unencrypted memory stick containing the personal details of 8,000 patients was reported lost to the ICO.
View a PDF of the Lampeter Medical Practice undertaking
2 June 2010
West Berkshire Council has signed a formal undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted. The Information Commissioner’s Office (ICO) found it in breach of the Data Protection Act (DPA) following the loss of a USB stick containing the sensitive personal information of children and young people.
View a PDF of West Berkshire Council's undertaking
Enforcement notices
6 December 2011
The ICO has served an enforcement notice on Powys County Council after the council breached the Data Protection Act by disclosing sensitive information related to child protection cases to the wrong recipients.
View the Powys County Council enforcement notice
19 August 2010
The ICO has served an enforcement notice on Direct Response Security Systems after the company breached the Privacy and Electronic Communications Regulations (PECR) by making unsolicited marketing calls.
View the Direct Response Security Systems enforcement notice