Northumberland County Council has reported itself to the Information Commissioner’s Office after a data handling mishap left thousands of pensioners exposed to possible identity theft.

The incident involved an unfortunate series of events which began when the Council gave a mailing company an address file which accidentally contained the National Insurance details of 6,597 former employees, which it had forgotten to delete.  The mailing company then posted out a ‘pensions newsletter’ to the ex-employees, with each recipient’s National Insurance number put on show beside their name and address.

The ICO has apparently taken a dim view of the matter, with a local newspaper reporting:

“The Information Commissioner’s Office (ICO) last night said the combination of a person’s national insurance details, their name and address could, if they fell into the wrong hands, “help to build up a picture of someone’s life” and put them at risk of identity theft… The ICO said it takes any breach of the act very seriously and could make the council sign an undertaking to say it will not happen again.”

A spokesperson for Northumberland County Council described the incident as ‘a clear and very regrettable case of human error’.  Chris Heane, the Council’s information security officer, commented:

“An error has occurred where the addressee has had their national insurance number printed within the address box. This is a breach of the Data Protection Act which we sincerely apologise for and we are currently investigating the cause. We have reported this incident to the Information Commissioners Office and we will be writing to each individual concerned to explain how this has happened.”

Source: The Journal, 8 April 2010.

Barnet Council has lost the personal data of approximately 9,000 students following a burglary at an employee’s home.

The stolen information was stored on unencrypted CDs and memory sticks in breach of council IT security policy, the London Borough said. An encrypted council laptop was also taken during the break-in earlier this month.

In a letter apologising to parents, Barnet Chief Executive said the missing data included children’s names, addresses, date of birth, details of educational attainment and free school meals entitlement – and in a ‘few’ cases was ‘more extensive’.

According to a statement by the Council, the employee – now suspended – had been using  the data ‘for statistical purposes’.  Barnet said it had since taken action to improve its data handling procedures including ’software changes to prevent staff saving any data onto unsecured memory devices (including CD-ROMs)’.  A full independent inquiry has been ordered into the incident.

Stoke-on-Trent City Council has launched an inquiry after a memory stick containing highly confidential information about vulnerable children was found on a busy main road by a passerby.

Reports claim the memory stick contained dozens of sensitive council documents relating to foster carers, family court proceedings, parenting assessments, child custody arrangements and the psychological histories of children in care. The USB device was not encrypted or password-protected, in violation of the council’s IT security policy.

A Council spokesperson said: “The safety of children in our care is our priority. We have procedures for ensuring that confidential and sensitive data is kept as secure as possible.”

The incident follows the loss of 2,000 NHS patient records in Stoke-on-Trent earlier this month.

Source: The Sentinel, 27 March 2010.

An MP’s security passcard allowing access to city council buildings has been found in a street, it is reported.

The pre-programmed swipe card, belonging to Plymouth Sutton MP Linda Gilroy, is said to have been handed in anonymously to a local newspaper with a note saying ‘found by the road around Sutton Harbour’.

The plastic pass bore a photograph of Mrs Gilroy and the words: ‘This card must be displayed at all times in any Plymouth City Council buildings’.

According to the City Council, Mrs Gilroy’s pass allowed ‘general access’ only and could not have been used to enter high-security areas.  A spokesperson told the newspaper:

“When outside the building they are expected to remove and store their pass securely… Pass holders must not allow anyone else to use their pass. If someone suspects they have lost their pass or it has been stolen they are asked to contact security immediately to ensure it is cancelled and cannot be used by anyone else.”

The MP reportedly described the loss of the card as ‘a bit of a mystery’, adding that the card had not worked ‘for some time’.

Source: Western Morning News, 17 March 2010

Angus Council has apologised after confidential council documents were found dumped in a florist’s wheelie bin.

The discarded papers included sensitive personal and payroll data relating to council employees, according to reports.

Angus Council explained in a statement:

“As part of a recent exercise to box up and move personal paper files from the office in Arbroath to council headquarters in Forfar, old papers were discarded. The bulk of these papers, which included some timesheets, related to staff who have subsequently left the council’s employment.

“Our usual process is to shred all papers containing confidential details prior to their disposal, but in this instance a small number of papers were incorrectly put out in a black bag with normal waste. The bag was then placed, in error, in the bin belonging to the florist’s shop.”

Source: Arbroath Herald, 5 March 2010.

A laptop and a laptop bag containing documents with ‘employee information’ were stolen from Oldham Council over the weekend, it is reported.

The theft follows an incident in January 2009 when a person wandered into Oldham Civic Centre and walked out again, apparently unchallenged, wheeling 17 council laptops in a recycling bin.

Council staff were reportedly told the information stolen in the latest breach was ‘limited to names, job titles and salaries of a number of employees’  and that the risk of misuse was ‘minimal’.

Source: Manchester Evening News, 3 March 2010.

Wigan Metropolitan Borough Council has apologised for the loss of an unencrypted memory stick containing sensitive personal information about more than 200 disabled residents.

According to reports, the local authority was notified those affected and ordered a temporary ban on the use of all USB drives.

The details stored on the missing memory stick are said to include names, addresses, some national insurance numbers, ethnicity and types of disability.  A member of staff is reported to have been suspended and another disciplined as a result of the loss.

The incident comes despite the Council signing an undertaking in September 2009 to improve data security, following the theft of an unencrypted laptop holding personal data on approximately 43,000 children and young people in Wigan’s schools.

Further information: BBC News, 3 February 2010.

Three laptops have been stolen in a burglary at the offices of the Connexions youth advisory service, managed by Enfield Council.

The computers were taken after a window was left unlocked, police said.

The laptops, which were password-protected but not encrypted, did not contain any sensitive information according to a spokesperson for the Council.

Source: Enfield Independent, 24 January 2010.

Lancashire County Council has been found in breach of the Data Protection Act after social work records containing sensitive personal information were found in a second-hand filing cabinet bought by a member of the public.

The records, which were duplicates of documents held by the council, contained what the Information Commissioner called ‘extensive’ amounts of personal data about individuals.

Source: Information Commissioner’s Office, 18 January 2010.

Related Documents

Formal Undertaking between Lancashire County Council and the ICO.

Private details of around 30 staff at Cheltenham Borough Council were accidentally published on the local authority’s intranet.

According to reports, a list of 30 staff, containing their payroll number, wage, age and home address, was released onto the intranet system overnight before workers realised the mistake and removed the data.

The incident, which took place in April 2009, came to light following a Freedom of Information Act enquiry.  It was said to be the Council’s first accidental release of confidential information in six years.

Though a Council spokesperson downplayed the seriousness of the incident, the breach prompted the local authority to review internal procedures to prevent further incidents.

Source: Gloucestershire Echo, 16 January 2010.