DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A few ICO undertakings that flew under the radar

Posted on March 27, 2011 by Dissent

I thought that whenever the UK’s Information Commissioner’s Office (ICO) had an entity sign an undertaking to improve data security or privacy protective practices, the office issued a press release.  But thanks to Stewart Room, I’ve  learned that that’s not necessarily the case.  Stewart alerted us all to a recently signed undertaking that involved a barrister, Sarah Phillimore, who breached the Data Protection Act when she lost confidential files. From the undertaking signed this past week, a description of the incident:

In November 2010 the Information Commissioner (the “Commissioner”) received a report that Ms Phillimore had lost a quantity of sensitive personal data, property belonging to a County Council which she was representing in legal proceedings.

Ms Phillimore had been in possession of six folders of case papers required for her handling of a court case in November 2010. On conclusion of the matter she returned four of the folders to her chambers, it not being practical to return all six bulky folders at the one time. On the 13th November Ms Phillimore placed the two remaining folders in her motor vehicle intending to return those too to her chambers. However circumstances prevented this and she consequently left the folders in her vehicle, which was parked in a public street, overnight, intending to return them to her chambers on 14 November 2010.

On the morning of 14 November 2010 Ms Phillimore returned to her vehicle to find it had been broken into and the two folders of court papers stolen.

That March 23 undertaking is not the only recent undertaking that did not result in press release, it seems. As I searched, I found that Aramark Ltd. signed an undertaking on February 25th, following the theft of a laptop containing unencrypted personal information as well as and paperwork containing employee personal data:

The laptop was being used to transport new employees’ personal data from an outgoing service provider’s premises. A graduate manager was taking the personal data home with the purpose of taking it to a secure location the next day. During transit the laptop and paperwork were opportunistically stolen.

The laptop was password protected and stored 109 employees’ national insurance numbers, bank details, and passport numbers. The paperwork included four employees’ bank details and photocopies of their passports. The personal data being transferred had to be collected and checked by the data controller for payroll purposes. It was noted that the data controller proposed appropriate remedial action, and intends to complete an encryption programme for all its laptop computers by 21 January 2011.

“But wait, there’s more!” It seems that Rainforest Alliance Ltd signed an undertaking in November 2010 following the theft of a laptop with unencrypted data:

The Information Commissioner (the “Commissioner”) was provided with a report of the theft of an unencrypted laptop holding personal and financial data relating to employees of the data controller and job applicants. The laptop was being used outside the office environment by a manager, with the data controller’s knowledge and authority, and was stolen from a relative’s home in a domestic burglary.

The laptop was protected by a password, and the data files were also password-protected but not encrypted. It also emerged that only some of the data had been backed up to the office server and the data controller had not provided adequate guidance on physical security measures for those working outside the office.

The undertaking did not indicate how many employees and applicants had data on the stolen laptop or precisely what information fields or data types were involved.

So what have we learned?  Well, I’ve learned not to count on the ICO’s press release web site if I really want to know what breaches they have investigated or pursued! None of these three breaches is particularly unusual, and it’s curious that the ICO didn’t issue press releases as a way of reminding data controllers how easily this might happen to them, too.

Related posts:

  • UK: Five councils, a youth charity, and a healthcare provider sign undertakings following data breaches
Category: Breach IncidentsBusiness SectorMiscellaneousNon-U.S.PaperTheft

Post navigation

← Glazers take legal action against Manchester United fan after web leak of corporate clients
MySQL.com Database Compromised By Blind SQL Injection →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.