DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK: North East Lincolnshire Council hit with £80,000 penalty after breach involving special needs children’s information

Posted on October 29, 2013 by Dissent

A monetary penalty notice has been served by the Information Commissioner’s Office on North East Lincolnshire Council after the loss of an unencrypted USB drive containing personal and sensitive personal data relating to 286 special needs children.

From the notice announcing the penalty:

On 1 July 2011 an unencrypted USB memory stick containing personal and sensitive personal data was lost on the data controller’s premises. A special educational needs teacher had been working with the information held on the USB stick while using a laptop that was connected to the data controller’s networked computer system. When logging off the system and leaving the office for the day, the teacher forgot to remove the USB stick. When the teacher realised the mistake and tried to retrieve the USB stick, it was gone. To date, the USB stick has not been recovered. The data controller completed an internal investigation in response to the incident.

The teacher worked in the data controller’s Special Educational Needs Support Service in the Children’s Services Directorate (‘the directorate’). The teacher would spend the majority of time away from council offices visiting schools and other community locations. The teacher was not primarily office based and did not have remote access to the data controller’s computer system. Information was saved on the USB stick as it enabled access to necessary data during visits to the different locations. The data controller issued the teacher with the USB stick in 2005.

The USB stick holds the personal and sensitive data of 286 pupils with special educational needs who attended schools in the data controller’s area. The pupils were aged between 5 and 16 years. The data consists of reports that cover issues such as dyslexia, Irlen syndrome and other mental and physical disabilities, school performance, learning issues and specific teaching strategies for pupils with special educational needs. All of the reports contain the name of the pupil and the school they attended. The majority of the reports contain the DOB of the pupil and some contain pupils’ home addresses. A small number of reports identify the parents of a pupil, and contain information about the ‘home-life’, which includes financial matters and family dynamics. The reports identify whether the pupil is deemed vulnerable and whether the data controller’s children’s services are involved. The reports are all protectively marked.

Following the incident, the data controller carried out a risk assessment for the potential damage and distress to the data subjects. The internal report estimated that the loss of the sensitive personal data is likely to lead to the ill-health of those affected through the disclosure of the data or due to a break in the services which they were receiving. The likely damage and distress to the data subjects is substantial due to the volume of data which has been lost, and that the data subjects are children aged 5 -16, some of whom are deemed vulnerable (and their families). The data subjects were not notified of the data breach.

The notice explains that the council had been using unencrypted memory sticks since 2005, and although it had implemented a policy of using encrypted sticks four months before the incident occurred, “it had failed to implement any effective short term plan to limit the risks.”

As a consequence of the incident, the ICO issued a monetary penalty of  £80,000. One of the factors considered was that the council did not notify those affected, despite the fact that their own risk assessment after the incident recommended notification.

 

No related posts.

Category: Government SectorLost or MissingNon-U.S.

Post navigation

← FL: Former Broward court clerk pleads guilty to ID theft
Genesis Rehabilitation Services employee loses unencrypted thumb drive with employees’ information →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.