This snapshot, taken on
05/04/2011
, shows web content acquired for preservation by The National Archives. External links, forms and search may not work in archived websites and contact details are likely to be out of date.
 
 
The UK Government Web Archive does not use cookies but some may be left in your browser from archived websites.

Taking action

Taking action

There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller.

The tools are not mutually exclusive. We will use them in combination where justified by the circumstances.

The main options are:

  • serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
  • issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
  • serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
  • conduct consensual assessments (audits) to check organisations are complying;
  • serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice (data protection only);
  • issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010;
  • prosecute those who commit criminal offences under the Act; and
  • report to Parliament on data protection issues of concern.

Appeals from notices are heard by the First–tier Tribunal (Information Rights), part of the General Regulatory Chamber (GRC). The First–tier Tribunal (Information Rights) specifically hears appeals of enforcement notices, decision notices and information notices issued by the Information Commissioner. The GRC brings together a range of previously separate tribunals that hear appeals on regulatory issues.

View the Data Protection Regulatory Action Policy
View the Assessment Notices Code of Practice
View the Monetary Penalties guidance


Monetary penalty notices


8 February 2011

A monetary penalty of £ 80,000 was issued to Ealing Council following the loss of an unencrypted laptop which contained personal information. Ealing Council breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies.
View PDF of the Ealing Council monetary penalty notice

A monetary penalty of £ 70,000 was issued to Hounslow Council following the loss of an unencrypted laptop which contained personal information. Hounslow Council breached the Act by failing to have a written contract in place with Ealing Council. Hounslow Council also did not monitor Ealing Council’s procedures for operating the service securely.
View PDF of the Hounslow Council monetary penalty notice

22 November 2010

A monetary penalty of £60,000 was issued to employment services company A4e Limited for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
View PDF of the A4e monetary penalty notice

A monetary penalty of £100,000 was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.
View PDF of the Hertfordshire County Council monetary penalty notice


Undertakings


5 April

An undertaking to comply with the seventh principal of the DPA has been signed by City of York Council, further to the inappropriate disclosure of an individual’s personal data, which occurred as a result of the information in question being errouneously included with documentation sent to an unrelated third party.
View a PDF of the City of York Council undertaking here

4 April

An undertaking to comply with the seventh data protection principle has been signed by Royal Cornwall Hospitals NHS Trust. This follows the inappropriate disclosure of third party sensitive personal data on two occasions, in response to a subject access request.
View a PDF of the Royal Cornwall Hospitals NHS Trust undertaking here

1 April

An undertaking to comply with the seventh data protection principle has been signed by Warrington and Halton Hospitals NHS Foundation Trust. This follows the theft on an unencrypted laptop containing sensitive personal data relating to 110 patients.
View a PDF of the Warrington and Halton Hospitals NHS Foundation Trust undertaking here

23 March

An undertaking to comply with the seventh data protection principle has been signed by Ms Phillimore, a barrister. This follows Ms Phillimore leaving a file containing sensitive personal data in an unattended motor vehicle, from which the file was stolen.
View a PDF of Ms Phillimore’s undertaking here

15 March

An undertaking to comply with the seventh data protection principle has been signed by Wolverhampton City Council. This follows a report in the press about the theft of a skip and the subsequent fly tipping of its contents. The skip contained personal data including bank details, employment records and medical information. The data was traced back to a local community leisure centre. The council confirms that leisure centre staff should not have disposed of personal data in a skip. The information has now been securely destroyed.
View a PDF of the Wolverhampton City Council undertaking

25 February

An undertaking to comply with the seventh data protection principle has been signed by Doncaster Metropolitan Borough Council. This follows the disclosure of third party data by the council during court proceedings.
View a PDF of the Doncaster Metropolitan Borough Council undertaking

24 February

An undertaking to comply with the seventh data protection principle has been signed by Aramark Ltd. This follows the theft of an unencrypted laptop and paperwork containing employees’ personal data.
View a PDF of the Aramark Ltd undertaking

23 February

An undertaking to comply with the seventh data protection principle has been signed by Cambridgeshire County Council. This follows the loss of an unencrypted memory stick containing sensitive personal data.
View PDF of the Cambridgeshire County Council undertaking

21 February

The Identity and Passport Service has signed an undertaking which commits the organisation to taking remedial action after the ICO found it in breach of the Data Protection Act for losing the passport renewal applications of 21 individuals.
View PDF of the Identity and Passport Service undertaking

18 February

An undertaking to comply with the seventh data protection principle has been signed by Isle of Anglesey County Council. This follows the mailing of housing and council tax benefit letters containing financial personal data to the wrong recipients. The council did not have a written agreement in place with the data processor selected to distribute the letters on its behalf. See the text of the undertaking here.
View PDF of the Isle of Anglesey County Council undertaking

11 February

Gwent Police has signed an undertaking which commits the organisation to taking remedial action after the ICO found it in breach of the Data Protection Act for accidentally emailing results of Criminal Reference Bureau (CRB) checks performed by the force to a member of the public.
View PDF of the Gwent Police undertaking

21 January

NHS Blood and Transplant has signed an undertaking which commits the organisation to being more robust in checking information is accurate. This follows the discovery that organ donation preferences of 444,031 people were recorded inaccurately on the Organ Donation Register, which is managed by NHS Blood and Transplant, due to a software error.
View PDF of the NHS Blood and Transplant undertaking

5 January

A formal undertaking has been signed by the Scottish Court Service. Following a newspaper report about a data breach by the Court Service, the ICO discovered that papers containing personal information had been lost by the editor of a series of law reports. The court service had failed to check how this individual intended to keep the information secure.
View PDF of the Scottish Court Service undertaking

22 November 2010

A formal undertaking has been signed by Stoke-on-Trent City Council, agreeing to comply with the seventh data protection principle. This follows the discovery of an unencrypted social services memory stick in Hanley containing information about 40 children.
View PDF of the Stoke-on-Trent City Council undertaking

19 November 2010

Senior Vice President of Google, Alan Eustace, has signed an undertaking on behalf of Google Inc. which commits the company to putting into place improved training measures on security awareness and data protection issues for all employees. The company has also said it will require its engineers to maintain a privacy design document for every new project before it is launched. The payload data that Google inadvertently collected in the UK will also be deleted.
View PDF of the Google undertaking

12 November 2010

A formal undertaking has been signed by Andrew McDonald, CEO of the Independent Parliamentary Standards Authority (IPSA), agreeing to comply with the seventh data protection principle. This follows an internal database being left insecure for a period of some 21 hours following IT maintenance. The insecurity resulted in the potential compromise of personal data relating to 332 MPs.
View PDF of the IPSA undertaking

11 November 2010

An undertaking to comply with the seventh data protection principle has been signed by the Rainforest Alliance Ltd. This follows the theft of an unencrypted laptop holding personal and financial data relating to employees and job applicants.
View a PDF of the Rainforest Alliance undertaking

2 November 2010

A formal undertaking has been signed by Portsmouth City Council following the inappropriate disclosure of personal information relating to an individual’s physical and mental health. The council failed to redact documents correctly in a subject access request and so accidentally disclosed information about another individual.
View a PDF of the Portsmouth City Council undertaking

19 October 2010

An undertaking to comply with the seventh data protection principle has been signed by the Lord Chief Justice of Northern Ireland. This follows the inappropriate disclosure of personal data in an email from his office earlier this year.
View a PDF of the Lord Chief Justice’s Office (Northern Ireland) undertaking

19 October 2010

The Chief Executive of the North West London Hospitals NHS Trust has signal a formal undertaking after a doctor left medical information about 56 patients on a tube train.
View a PDF of the North West London Hospitals NHS Trust undertaking

14 October 2010

A formal undertaking has been signed by Healthcare Locums Plc (HCL). A hard drive containing doctors’ security clearance and visa information had been sold on an auction website before being returned to HCL.
View a PDF of the Healthcare Locums Plc undertaking

30 September 2010

A formal undertaking has been signed by Forth Valley NHS Board. The Information Commissioner’s Office was informed that an unencrypted memory stick with no password protection and containing personal information held by the Board had been handed in to the press.
View a PDF of the Forth Valley NHS Board undertaking

20 September 2010

A formal undertaking has been signed by East & North Hertfordshire NHS Trust after an unencrypted USB stick containing sensitive personal data was lost by a member of staff on a train journey.
View a PDF of the East & North Hertfordshire NHS Trust undertaking

26 August 2010

A formal undertaking has been signed by Yorkshire Building Society (YBS), after an unencrypted laptop belonging to the former Chelsea Building Society (CBS), which had recently merged with YBS, was stolen from its Cheltenham premises. The laptop contained a substantial part of the CBS customer database.
View a PDF of the YBS undertaking

25 August 2010

A formal undertaking has been signed by DSG Retail, following the discovery of customers’ credit agreements in or near a skip at one of the company’s PC World stores. The documents related to transactions made two years prior and had been kept beyond the period recommended by DSG’s policies for holding personal data.
View a PDF of the DSG Retail undertaking

24 August 2010

A formal undertaking has been signed by Royal Wolverhampton Hospitals NHS Trust after the loss of over 100 of its patient records. The The Information Commissioner’s Office was alerted to the loss of a CD which contained scans of 112 patient records from the Intensive Care Unit of New Cross Hospital’s Heart and Lung Unit. The CD was discovered at a bus stop near the hospital and was unencrypted with no password protection.
View PDF of the Royal Wolverhampton Hospitals NHS Trust undertaking

19 August 2010

A formal undertaking has been signed by Tunbridge Wells Equitable Friendly Society Limited trading as The Children's Mutual, after an annual account statement containing confidential personal data was sent in error to the wrong recipient.
View PDF of The Children's Mutual undertaking

14 July 2010

A formal undertaking has been signed by Birmingham Children’s Hospital NHS Foundation Trust, agreeing to comply with the seventh data protection principle. This follows the loss of two unencrypted laptops which were stolen from the Medical Day Centre, containing sensitive personal data relating to a number of the Trust’s patients.
View PDF of the Birmingham Children’s Hospital Hospitals NHS Trust undertaking

8 July 2010

The ICO has taken action against the London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council for breaching the Data Protection Act. A systemic lack of staff training on how to handle personal information has led to the loss of sensitive personal information relating to thousands of children.
View PDF of the London Borough of Barnet undertaking
View PDF of the West Sussex County Council undertaking
View PDF of the Buckinghamshire County Council undertaking

18 June 2010

Adrian Leppard, temporary Chief Constable of Kent Police, has now signed a formal undertaking to ensure that staff whose roles require them to have access to confidential information outside the office are provided with secure transportation and storage facilities.
View PDF of the Kent Police undertaking

15 June 2010

Basingstoke and North Hampshire NHS Trust has signed a formal undertaking after an excel spreadsheet, containing 917 patients’ pathology results, was emailed via an unsecure address to another department. The spreadsheet was not password protected and the receiving department had no business need to have access to the excessive amount of clinical records.
View PDF of the Basingstoke and North Hampshire NHS Trust undertaking

NHS Stoke-on-Trent has signed a formal undertaking after 2,000 paper physiotherapy records were not filed within its archive system and may have accidentally been destroyed or misfiled. The organisation will apply physical security measures in respect of paper medical records, particularly when they are in transit.
View PDF of the NHS Stoke-on-Trent undertaking

3 June 2010

Dr Rowena Mathew, Head of Practice of Lampeter Medical Practice, has signed a formal undertaking after an unencrypted memory stick containing the personal details of 8,000 patients was reported lost to the ICO.
View a PDF of the Lampeter Medical Practice undertaking

2 June 2010

West Berkshire Council has signed a formal undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted. The Information Commissioner’s Office (ICO) found it in breach of the Data Protection Act (DPA) following the loss of a USB stick containing the sensitive personal information of children and young people.
View a PDF of West Berkshire Council's undertaking

7 May 2010

An undertaking to comply with the seventh data protection principle has been signed by Eastbourne Borough Council. This follows the theft of an unencrypted laptop containing personal data from the Towner Gallery in January.
View a PDF of Eastbourne Borough Council's undertaking

5 May 2010

An undertaking to comply with the seventh data protection principle has been signed by King's College London. This follows two incidents in which computers containing sensitive personal data were stolen from its academic offices at teaching hospitals.
View a PDF of King's College London's undertaking

4 May 2010

A formal undertaking has been signed by Bolton Youth Offending Team, agreeing to comply with the seventh data protection principle. This follows the theft of a camcorder with video footage containing sensitive personal data relating to three individuals.
View a PDF of Bolton Youth Offending Team's undertaking

4 May 2010

An undertaking to comply with the seventh data protection principle has been signed by NCL (Bahamas) Ltd. This follows the suspected theft of a computer printout containing payroll details for the company's 80 UK employees.
View a PDF of NCL (Bahamas) Ltd's undertaking

28 April 2010

An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Pensions Authority. This follows the loss of an unencrypted CD containing personal data of 9,140 pension scheme members.
View a PDF of the South Yorkshire Pensions Authority undertaking

23 April 2010

A formal undertaking has been signed by St James Primary School, agreeing to comply with the seventh data protection principle. This follows the theft of a memory stick containing sensitive personal data relating to a number of pupils.
View a PDF of the St James Primary School undertaking

22 April 2010

A formal undertaking has been signed by Sue Turner, CEO, of the Birmingham and Solihull Mental Health NHS Foundation Trust agreeing to comply with the fifth and seventh data protection principles. This follows the theft of an unencrypted laptop computer which contained personal data relating to some 1,500 of Trusts patients and some 450 staff.
View a PDF of the Birmingham and Solihull Mental Health NHS Foundation Trust undertaking

An undertaking to comply with the seventh data protection principle has been signed by the headteacher of Ysgol Bro Famau, in Denbighshire. This follows the theft of the school's administration computer, which contained significant amounts of personal data relating to pupils.
View a PDF of Ysgol Bro Famau's undertaking

31 March 2010

The Information Commissioner’s Office has found The Highland Council in breach of the Data Protection Act after personal data relating to several members of one family was inadvertently disclosed to another unrelated individual. The data contained sensitive information including data relating to the physical and mental health of individuals.
View PDF of The Highland Council undertaking

The Information Commissioner’s Office has found Warwickshire County Council in breach of the Data Protection Act following the theft of two laptops and the loss of a memory stick. The Chief Executive of Warwickshire County Council has signed a formal undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted.
View PDF of the Warwickshire County Council undertaking

29 March 2010

The Information Commissioner’s Office has found St Albans City and District Council in breach of the Data Protection Act, after a laptop was stolen which was used to store postal voters’ records as part of an election process in June 2009. St Albans City and District Council has signed an undertaking to ensure that steps are taken to ensure staff and contractors are made fully aware of security procedures and adequate checks will be carried out on contractors’ staff.
View PDF of the St Albans City and District Council undertaking

24 March 2010

An undertaking has been signed by Zurich Insurance plc after the Information Commissioner’s Office found the company in breach of the Data Protection Act. Zurich Insurance plc lost an unencrypted back-up tape containing financial personal information belonging to 46,000 policy holders of Zurich Private Client, Zurich Special Risk and Zurich Business Client, which are all part of Zurich Insurance plc.
View PDF of the Zurich Insurance plc undertaking

16 March 2010

The Information Commissioner’s Office has found that the Royal London Mutual Insurance Society breached the Data Protection Act (DPA) after eight laptops, two of which contained the personal details of 2,135 people, were stolen from the company’s Edinburgh offices. Michael Yardley, Group Chief Executive Officer of the company, has now signed an official undertaking to ensure that portable and mobile devices including laptops are encrypted.
View PDF of the Royal London Mutual Insurance Society undertaking

19 February 2010

An undertaking to comply with the seventh data protection principle has been signed by Redstone Mortgages Ltd, following the disclosure of reports containing personal data of over 15,000 mortgage customers last August.
View PDF of Redstone Mortgages Ltd's undertaking

11 February 2010

The Alzheimer’s Society has signed a formal undertaking promising to improve security after it reported three seperate breaches involving personal information to the Information Commissioner’s Office during 2009. The undertaking also requires staff to be made aware of the Society’s policies for the storage, use and disposal of personal information. Staff must receive appropriate training on how to follow these policies.
View PDF of the Alzheimer’s Society undertaking

1 February 2010

The Information Commissioner’s Office has found the Association of Teachers and Lecturers (ATL) in breach of the Data Protection Act after a laptop and memory stick were reported lost or stolen, containing the personal details of over 6,000 union members. ATL General Secretary, Mary Bousted, has now signed an undertaking to ensure that by 28 February 2010 all portable and mobile devices used to store and transmit personal details are encrypted.
View PDF of the Association of Teachers and Lecturers undertaking

22 January 2010

Mark Hackett, the Chief Executive of Southampton University Hospitals NHS Trust, has made a formal commitment to improve data security after the Information Commissioner’s Office found SUHT in breach of the Data Protection Act.
View PDF of the Southampton University Hospitals NHS Trust undertaking

18 January 2010

The Information Commissioner’s Office has found Lancashire County Council in breach of the Data Protection Act after social work records containing sensitive personal data relating to several individuals were found in a filing cabinet purchased second-hand by a member of the public. The Council has now signed an undertaking promising to implement a formal written procedure for the removal or disposal of any office furniture or equipment.
View PDF of the Lancashire Country Council undertaking

11 January 2010

The Information Commissioner’s Office has found Bellgrange Mortgages and Insurance Services Ltd in breach of the Data Protection Act after clients’ details were found in two large waste bins intended for the use of local residents. The organisation, based in Stanmore, has signed an official undertaking to improve data security.
View PDF of the Bellgrange Mortgages and Insurance Services Ltd undertaking

17 December 2009

The Information Commissioner’s Office has found Northern Ireland’s Department of Finance and Personnel in breach of the Data Protection Act after approximately 37,000 people’s personal details were stolen.
View PDF of the Department of Finance and Personnel undertaking

17 December 2009

The Information Commissioner’s Office has found Shropshire Council in breach of the Data Protection Act following the loss of an unencrypted memory stick containing sensitive information relating to a large number of adult social care clients and members of staff.
View PDF of the Shropshire Council undertaking

15 December 2009

A formal undertaking has been signed by Waseley Hills High School and Sixth Form Centre committing it to take a number of steps to ensure that personal data is processed in compliance with the Data Protection Act. The Information Commissioner’s Office found it in breach of the Data Protection Act after the theft of personal data of over 1,000 pupils and staff.
View PDF of the Waseley Hills High School and Sixth Form Centre undertaking

11 December 2009

A formal undertaking has been signed by the Orbit Heart of England Housing Association after the Information Commissioner’s Office found them to be in breach of the Data Protection Act. 57 paper files containing personal data went missing during an office move. Forty-two of the files were recovered in full, but 15 which contain a significant amount of personal data relating to each tenant and, in some cases, members of his or her family, are still missing.
View PDF of the Orbit Heart of England Housing Association undertaking

26 November 2009

A formal undertaking has been signed by Verity Trustees Ltd after the Information Commissioner’s Office found them to be in breach of the Data Protection Act. The Trustees reported the theft of a laptop computer containing the names, addresses, dates of birth, salaries and national insurance numbers of around 110,000 individuals.
View PDF of the Verity Trustees Ltd undertaking

13 November 2009

Formal undertakings have been signed by Great Yarmouth and Waveney Primary Care Trust and Gloucestershire Primary Care Trust after the Information Commissioner’s Office found them in breach of the Data Protection Act.
View PDF of the Great Yarmouth and Waveney PCT undertaking
View PDF of the Gloucestershire PCT undertaking

10 November 2009

Maidstone and Tunbridge Wells NHS Trust has pledged to improve the security of patients’ personal information after the Information Commissioner’s Office found it in breach of the Data Protection Act. The Trust has signed an undertaking declaring that any personal data held on a laptop computer or other removable media by the data controller will be identified and encrypted within 6 months.
View PDF of the Maidstone and Tunbridge Wells NHS Trust undertaking

27 October 2009

Ashford and St Peter’s Hospitals NHS Trust has signed an undertaking and agreed to improve data security after it informed the Information Commissioner’s Office of a data breach involving the loss or theft of three unencrypted USB sticks containing sensitive patient information. Each of the devices contained the full treatment and full diagnosis history relating to a number of cancer patients. The information on the USB sticks was in Word format - leaving the material easily accessible to anyone with a computer.
View PDF of the Ashford and St Peter’s Hospitals NHS Trust undertaking

22 October 2009

Antony Sumara, the Chief Executive of Mid Staffordshire NHS Foundation Trust, has agreed to take action to comply with the Data Protection Act following a significant security breach. The breach occurred after a member of the Trust’s human resources team transferred personal information to a home computer. The information, known as a ‘Statement of Case’, contained sensitive personal details about an employee and two further documents. Some of the information related to the employee’s previous criminal conviction.
View PDF of the Mid Staffordshire NHS Foundation Trust undertaking

14 September 2009

A formal undertaking has been signed by Billing Pharmacy Ltd, agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted computer containing sensitive personal data for around 1,000 customers.
View PDF of the Billing Pharmacy Ltd undertaking

A formal undertaking has been signed by NHS Grampian, agreeing to comply with the seventh data protection principle. This follows several data security breaches there in the past few months.
View PDF of NHS Grampian’s undertaking

8 September 2009

A formal undertaking has been signed by NHS Education for Scotland, theft of an unencrypted laptop. The laptop contained the personal information of 6377 applicants for medical training positions.
View PDF of NHS Education for Scotland undertaking

7 September 2009

A formal undertaking has been signed by Ipswich Hospital NHS Trust, agreeing to comply with the seventh data protection principle. A ward summary list, containing patients’ personal data, was found outside the hospital premises. A similar incident had occurred in 2008, but some resulting recommendations had not been implemented.
View PDF of Ipswich Hospital NHS Trust’s undertaking

4 September 2009

A formal undertaking has been signed by Sandwell Metropolitan Borough Council after an unencrypted memory stick was lost by an employee. The memory stick, which was not password protected, contained sensitive personal information relating to four families, including why children were taken into care or made subject to a Child Protection Plan.
View Sandwell Metropolitan Borough Council undertaking

3 September 2009

Wigan Council has signed an undertaking after the theft of a laptop computer containing personal information relating to approximately 43,000 children and young people. The laptop included personal details on most children and young people in Wigan’s schools. The information had been downloaded on to the laptop in breach of council policy.
View PDF of the Wigan Council undertaking

21 August 2009

London Borough of Sutton has signed an undertaking following an investigation by the ICO into several data security incidents. These included the loss of a paper file which contained personal data relating to 73 individuals receiving social care and the theft of two unencrypted laptops. A package of documents also went missing when a courier used by the council left it with the recipient’s neighbour.
View PDF of the London Borough of Sutton undertaking

20 August 2009

A formal undertaking has been signed by Repair Management Services Ltd (formally MVRA), a trade body that provides advice to businesses involved in motor vehicle repair. It follows the theft of an unencrypted laptop containing the personal information of approximately 36,800 individuals. The laptop, which was stolen from a secure vehicle in a public car park, was password protected but unencrypted.
View PDF of the Repair Management Services Ltd undertaking

14 August 2009

A formal undertaking has been signed by East Cheshire NHS Trust after pages from an Accident and Emergency register were found in a garden in Newcastle-under-Lyme. The pages contained sensitive personal data relating to the physical and mental health of over 60 patients. The loss followed an office move involving various departments of the Trust during which an external company was hired, without a written contract, to clear out rubbish from the old premises.
View PDF of the East Cheshire NHS Trust undertaking

12 August 2009

A formal undertaking has been signed by Dr Paul Thomas of the Gipping Valley Practice, Ipswich, agreeing to comply with the seventh data protection principle. This follows the discovery of a Practice server found in the car park of the Practice by an employee of the Suffolk Primary Care Trust. The server contained the sensitive personal data of a large number of Practice patients and the personal data of Practice employees.
View PDF of the Dr Paul Thomas undertaking

A formal undertaking has been signed by UPS Limited, following a breach of the Data Protection Act last year. An unencrypted password-protected laptop was stolen from one of UPS’s employees while on business abroad in October 2008. The laptop, which was not recovered, contained the payroll data of approximately 9,150 UK based UPS employees.
View PDF of the UPS Limited undertaking

28 July 2009

A formal undertaking has been signed by Imperial College Healthcare NHS Trust at St Mary's Hospital, South Wharf Road, London, agreeing to comply with the seventh data protection principle. This follows the theft of six unencrypted laptop computers (two incidents) and the loss of a small number of paper records which, in total, contained personal data relating to some 6,000 of the Trust's patients.
View PDF of the Imperial College undertaking

A formal undertaking has been signed by NHS Lothian agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted memory stick and some paper files temporarily left in a shop.
View PDF of the NHS Lothian undertaking

A formal undertaking has been signed by London Clubs International Limited agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted laptop containing the data of approximately 26,000 customers.
View PDF of the London Clubs International Limited undertaking

23 July 2009

A formal undertaking has been signed by Neath Port Talbot County Borough Council agreeing to comply with the seventh data protection principle. This follows the loss of a memory stick containing information relating to 65 children.
View PDF of the Neath Port Talbot County Borough Council undertaking

22 July 2009

A formal undertaking has been signed by The Highland Council agreeing to comply with the seventh data protection principle. This follows the theft of two laptop computers from the authority’s premises in Inverness.
View PDF of the The Highland Council undertaking

15 July 2009

A formal undertaking has been signed by Counted4 CIC of 4 Mary Street, Sunderland, Tyne & Wear, SR1 3NH. agreeing to comply with the seventh data protection principle. This follows the loss of a number of paper records containing sensitive personal information to 84 of the organisations clients. The records were in a locked filing cabinet which appears to have been accidentally destroyed during an office move.
View PDF of the Counted4 undertaking

A formal undertaking has been signed by Oldham Council agreeing to comply with the seventh data protection principle. This follows the theft of a total of 13 unencrypted laptop computers, of which 3 computers contained personal data relating to a total of some 220 Oldham Council residents. With the exception of one, the computers concerned were stolen from Council premises, eleven computers were stolen in the course of a burglary at secure Council offices, one computer was stolen from a staff member’s car and one was stolen during the course of a youth activity evening.
View PDF of the Oldham Council undertaking

14 July 2009

A formal undertaking has been signed by Chelsea & Westminster Hospital NHS Foundation Trust agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted USB memory stick containing personal data relating to 143 of the Trust’s patients.
View PDF of the Chelsea & Westminster Hospital NHS Foundation Trust undertaking

A formal undertaking has been signed by Epsom & St Helier University Hospitals NHS Trust of Wrythe Lane, Carshalton, Sutton, SM5 1AA, agreeing to comply with the seventh data protection principle. This follows the discovery of the insecure storage of hospital records, relating to a large number of the Trust's patients.
View PDF of the Epsom & St Helier University Hospitals NHS Trust undertaking

A second formal undertaking has been signed by The Hampshire Partnership NHS Trust, agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted laptop computer, containing the personal data of 349 patients and 258 members of staff, from a Trust employee who attended a conference at a London hotel.
View PDF of The Hampshire Partnership NHS Trust undertaking

A formal undertaking has been signed by the Nightingale Practice, within the City & Hackney Teaching Primary Care Trust of St. Leonard's, Nuttall, Street, London, N1 5LZ agreeing to comply with the seventh data protection principle. This follows the theft of 10 back up tapes and a USB portable hard drive, containing personal data relating to some 7,700 of the practice's patients. The USB hard drive and 5 of the back up tapes were not encryption protected.
View PDF of the Imperial College undertaking

A formal undertaking has been signed by The Royal Free Hampstead NHS Trust agreeing to comply with the seventh data protection principle. This follows the loss of an unencrypted computer disk containing personal data relating to some of the Trust’s patients.
View PDF of The Royal Free Hampstead NHS Trust undertaking

A formal undertaking has been signed by Surrey and Sussex Healthcare NHS Trust agreeing to comply with the seventh data protection principle. This follows the loss a ward hand over sheet and the theft of two unencrypted laptop computers containing personal data relating to 23 and up to 80 of the Trust’s patients respectively.
View PDF of The Surrey and Sussex Healthcare NHS Trust undertaking

7 July 2009

A formal undertaking has been signed by Jubilee Managing Agency Limited, agreeing to comply with the fifth and seventh data protection principles. This follows the loss of an unencrypted disk containing personal data, including financial details, relating to 2100 policyholders. Some of the data also related to cancelled or expired policies.
View PDF of Jubilee Managing Agency Limited’s undertaking.


Enforcement notices


19 August 2010

The ICO has served an enforcement notice on Direct Response Security Systems after the company breached the Privacy and Electronic Communications Regulations (PECR) by making unsolicited marketing calls.
View the Direct Response Security Systems enforcement notice

22 March 2010

The ICO has served an enforcement notice on SAS Fire & Security Systems after the company breached the Privacy and Electronic Communications Regulations (PECR) by making unsolicited marketing calls.
See the text of the SAS Fire & Security Systems enforcement notice here

4 February 2010

The ICO has served an enforcement notice on the Labour Party after it breached the Privacy and Electronic Communications Regulations (PECR). The enforcement action follows an investigation which revealed that the party had made unsolicited automated marketing calls without consent to almost half a million individuals.
View PDF the Labour Party enforcement notice

14 October 2009

The ICO has taken enforcement action against Ivor Cox, trading as Orion Forklift and Plant, following breaches of the Privacy and Electronic Communications Regulations. The action comes after more than 1700 complaints about the organisation were received by the Fax Preference Service (FPS). After considering the complaints made to the FPS and other complaints made to the ICO, the Information Commissioner has served an enforcement notice.
View PDF of the Orion Forklift and Plant enforcement notice

4 August 2009

The Information Commissioner’s Office has served enforcement notices on 14 construction firms following breaches of the Data Protection Act. Some organisations paid thousands of pounds to unfairly obtain personal information about construction workers.

The firms are: Balfour Beatty Civil Engineering Limited; Balfour Beatty Construction Northern Limited; Balfour Beatty Construction Scottish & Southern Limited; Balfour Beatty Engineering Services (HY) Limited; Balfour Beatty Engineering Services Limited; Balfour Beatty Infrastructure Services limited; CB&I UK Limited; Emcor Engineering Services Limited; Emcor Rail Limited; Kier Limited; NG Bailey Limited; Shepherd Engineering Services Limited; SIAS Building Services Limited; Whessoe Oil & Gas Limited.

View PDF of the Balfour Beatty Civil Engineering Limited enforcement notice
View PDF of the Balfour Beatty Construction Northern Limited enforcement notice
View PDF of the Balfour Beatty Construction Scottish & Southern Limited enforcement notice
View PDF of the Balfour Beatty Engineering Services (HY) Limited enforcement notice
View PDF of the Balfour Beatty Engineering Services Limited enforcement notice
View PDF of the Balfour Beatty Infrastructure Services Limited enforcement notice
View PDF of the CB&I UK Limited enforcement notice
View PDF of the Emcor Engineering Services Limited enforcement notice
View PDF of the Emcor Rail Limited enforcement notice
View PDF of the Kier Limited enforcement notice
View PDF of the NG Bailey Limited enforcement notice
View PDF of the Shepherd Engineering Services Limited enforcement notice
View PDF of the SIAS Building Services Limited enforcement notice
View PDF of the Whessoe Oil & Gas Limited enforcement notice