Gwent Police has apologised after the personal details of 10,006 individuals applying for criminal record checks were emailed to a journalist by accident.

A senior member of staff sent the sensitive information, which was not encrypted or password-protected, as an attachment in an email to five colleagues. Unfortunately, the staff member failed to spot their email system’s ‘AutoComplete’ feature had mistakenly copied in a reporter at The Register, Europe’s largest IT news website.

The Excel spreadsheet is said to have contained the full names and dates of birth of individuals subject to CRB checks since 2001. It also included the results of these checks, identifying 863 people as having a disclosures against them and, in some cases, revealing their occupations and criminal histories.

In a statement, Gwent Police attributed the data breach to  ’human error’ rather than a software problem, saying:

“As a Force we have strict policies and procedures in place relating to Data Security but regrettably these were not followed on this occasion. We are very sorry that we have on this occasion failed to meet our own high standards.”

Gwent Police confirmed a member of staff had been suspended and an internal investigation had begun under the supervision of the Independent Police Complaints Commission.

Source: The Register, 16 April 2010.

Northumberland County Council has reported itself to the Information Commissioner’s Office after a data handling mishap left thousands of pensioners exposed to possible identity theft.

The incident involved an unfortunate series of events which began when the Council gave a mailing company an address file which accidentally contained the National Insurance details of 6,597 former employees, which it had forgotten to delete.  The mailing company then posted out a ‘pensions newsletter’ to the ex-employees, with each recipient’s National Insurance number put on show beside their name and address.

The ICO has apparently taken a dim view of the matter, with a local newspaper reporting:

“The Information Commissioner’s Office (ICO) last night said the combination of a person’s national insurance details, their name and address could, if they fell into the wrong hands, “help to build up a picture of someone’s life” and put them at risk of identity theft… The ICO said it takes any breach of the act very seriously and could make the council sign an undertaking to say it will not happen again.”

A spokesperson for Northumberland County Council described the incident as ‘a clear and very regrettable case of human error’.  Chris Heane, the Council’s information security officer, commented:

“An error has occurred where the addressee has had their national insurance number printed within the address box. This is a breach of the Data Protection Act which we sincerely apologise for and we are currently investigating the cause. We have reported this incident to the Information Commissioners Office and we will be writing to each individual concerned to explain how this has happened.”

Source: The Journal, 8 April 2010.

Thousands of NHS patients in Wales have been told an unprotected memory stick containing their personal details is missing.

The USB stick was lost in transit between a GP surgery in Lampeter, Ceredigion, and the NHS Wales Business Services Centre, based in Pontypool.

The memory stick – which was not encrypted or password-protected – had been used to store patients’ names, addresses, dates of birth and NHS numbers.

Hywel Dda Local Health Board (the body overseeing healthcare services across mid and west Wales) said the memory stick did not contain any clinical information.

In light of the data loss, the Health Board has now written to all GP practices, opticians, dentists and pharmacists to remind them, it said, ‘of the importance of the patient data security and to reinforce the formal procedure for the safe transfer of patient data’.

Source: WalesOnline, 1 April 2010.

Barnet Council has lost the personal data of approximately 9,000 students following a burglary at an employee’s home.

The stolen information was stored on unencrypted CDs and memory sticks in breach of council IT security policy, the London Borough said. An encrypted council laptop was also taken during the break-in earlier this month.

In a letter apologising to parents, Barnet Chief Executive said the missing data included children’s names, addresses, date of birth, details of educational attainment and free school meals entitlement – and in a ‘few’ cases was ‘more extensive’.

According to a statement by the Council, the employee – now suspended – had been using  the data ‘for statistical purposes’.  Barnet said it had since taken action to improve its data handling procedures including ’software changes to prevent staff saving any data onto unsecured memory devices (including CD-ROMs)’.  A full independent inquiry has been ordered into the incident.

Stoke-on-Trent City Council has launched an inquiry after a memory stick containing highly confidential information about vulnerable children was found on a busy main road by a passerby.

Reports claim the memory stick contained dozens of sensitive council documents relating to foster carers, family court proceedings, parenting assessments, child custody arrangements and the psychological histories of children in care. The USB device was not encrypted or password-protected, in violation of the council’s IT security policy.

A Council spokesperson said: “The safety of children in our care is our priority. We have procedures for ensuring that confidential and sensitive data is kept as secure as possible.”

The incident follows the loss of 2,000 NHS patient records in Stoke-on-Trent earlier this month.

Source: The Sentinel, 27 March 2010.

An MP’s security passcard allowing access to city council buildings has been found in a street, it is reported.

The pre-programmed swipe card, belonging to Plymouth Sutton MP Linda Gilroy, is said to have been handed in anonymously to a local newspaper with a note saying ‘found by the road around Sutton Harbour’.

The plastic pass bore a photograph of Mrs Gilroy and the words: ‘This card must be displayed at all times in any Plymouth City Council buildings’.

According to the City Council, Mrs Gilroy’s pass allowed ‘general access’ only and could not have been used to enter high-security areas.  A spokesperson told the newspaper:

“When outside the building they are expected to remove and store their pass securely… Pass holders must not allow anyone else to use their pass. If someone suspects they have lost their pass or it has been stolen they are asked to contact security immediately to ensure it is cancelled and cannot be used by anyone else.”

The MP reportedly described the loss of the card as ‘a bit of a mystery’, adding that the card had not worked ‘for some time’.

Source: Western Morning News, 17 March 2010

Angus Council has apologised after confidential council documents were found dumped in a florist’s wheelie bin.

The discarded papers included sensitive personal and payroll data relating to council employees, according to reports.

Angus Council explained in a statement:

“As part of a recent exercise to box up and move personal paper files from the office in Arbroath to council headquarters in Forfar, old papers were discarded. The bulk of these papers, which included some timesheets, related to staff who have subsequently left the council’s employment.

“Our usual process is to shred all papers containing confidential details prior to their disposal, but in this instance a small number of papers were incorrectly put out in a black bag with normal waste. The bag was then placed, in error, in the bin belonging to the florist’s shop.”

Source: Arbroath Herald, 5 March 2010.

The medical records of around 2,000 NHS patients in Stoke-on-Trent have been lost.

The missing records are those of patients who received physiotherapy treatment at the Haywood Hospital, part of NHS Stoke on Trent, in or before 2006.  The hospital has apologised to patients for the security breach. It said in a statement:

“We are investigating the possibility of records having been destroyed under confidential conditions, in error… Procedures have already been tightened and steps are in place to ensure this does not happen again.”

Source: The Sentinel, 12 March 2010.

The Department for Work and Pensions is said to be ‘extremely concerned’ after confidential information about JobcentrePlus customers was accidentally posted to a man claiming benefits.

An investigation is underway into the data breach involving Colchester JobcentrePlus. According to reports, the personal details of eight jobseekers – including their names and National Insurance Numbers – were sent by mistake to another customer, who handed the information in to a local newspaper.

In a statement, the DWP said:

“We have recovered the information and are looking into this to find out what happened and the measures we need to take to prevent this occurring again.”

Source: Essex County Standard, 9 March 2010.

A review is underway after NHS patients in the East of England received confidential data about other people.

NHS IT body, Connecting for Health, has apologised after patients’ details were accidentally disclosed in a mailshot designed – ironically – to reassure them about the security of their medical records.

BBC Look East reports a number of recipients opened their envelopes to find letters addressed to other patients.

The letters – marked ‘Private and Confidential’ – showed the patient’s name, address and personal NHS number.

NHS Connecting for Health, which sent the letters on behalf of primary care trusts in the region, blamed a contractor for the error.  It said in a statement:

“Some PCTs have been made aware that, in a number of cases, more than one patient letter has been placed in an envelope.  The letters contain no medical information.

“The mailhouse supplier responsible… has undertaken a rigorous review of their processes.”

Source: BBC News, 7 March 2010.