UK Privacy Debacles

This page catalogues UK Privacy debacles, inspired by this (US-centric) article in Wired magazine: [1]

Summary Records Date Organisation Breach Type Organisation Type
Ex-officer is fined £9,600 for misuse of PSNI computer. The man accessed the database illegally 36 times, looking up information on a former girlfriend, man who had accused him of assault, the whereabouts of a car he had sold, and members of his own family. Was "invited to resign" after an internal investigation, which contributed to the level of fine handed down. The judge emphasised that people with access to databases owe a duty of care to data subjects and cannot be allowed to undermine the confidence of the public, esp. in the case of the police.

This demonstrates the range of people who might be at risk from crimes perpetrated by data controllers. The defendant's only explanation was "curiosity and boredom"—one wouldn't like to see what he could get up to with a more pernicious motive.

36 2012-01-11 Musgrave Police Station, Northern Ireland Employee misuse Police
London Health Observatory has had a laptop stolen that contained the postcode and age of patients and details of all hospital visits in 2009/10 throughout England. The laptop had no encryption. 125,000,000 2011-05-31 London Health Observatory Stolen Laptop NHS
Calderdale Royal Hospital has had a laptop stolen that contained names, dates of birth and addresses of patients. The laptop was connected to a No encryption was used on the laptop because the information service was anxious not to disturb the functioning of the equipment. 1,500 2011-01-31 Calderdale Royal Hospital Stolen Laptop NHS
The organ donation preferences of 444,031 people were recorded inaccurately on the Organ Donation Register (ODR) due to a software error (ICO press releases page). 444,031 2011-01-21 Organ Donation Register Software Error NHS
The personal details of 1,147 people were lost when a laptop computer was stolen from the home of a junior doctor working for Hull and East Yorkshire Hospitals NHS Trust. The information included names, dates of birth, treatment the patients received and their hospital numbers. 1,147 2011-01-19 Hull and East Yorkshire Hospitals NHS Trust Stolen Laptop NHS
Birmingham Children's Hospital has had two unencrypted laptops containing personal information relating to 17 patients were stolen from the Medical Day Centre The laptops contained sensitive personal data such as patient diagnoses, video recordings and information on the health of the individual patients. The laptops belonged to the Respiratory Medicine department and were used as part of the diagnostic and on-going assessment of patients 17 2010-07-14 Birmingham Children's Hospital Stolen Laptop NHS
DairyCo have had a laptop stolen that contained a spreadsheet with about 14,200 dairy farmers' names, contact details, transaction reference numbers and milk quotas. 14,200 2010-07-03 DairyCo Stolen Laptop Business
More than 24,000 people in Hull and Leicester have had information about them stolen when an employee of A4e had his laptop stolen in a domestic burglary A4e delivers public services across a range of sectors, including employment and welfare, training and education and debt and legal advice. The stolen laptop contained names, postcodes, dates of birth and any possible awards made by a court. 24,000 2010-06-29 A4e Stolen Laptop Business
Confidential data stolen from Kent Police officer's car A member of the public found the paperwork dumped in the street the day after the theft and took it to a local police station. ? 2010-06-21 Kent Police Theft Police
A member of staff from Lampeter Medical Practice downloaded a database containing 8,000 patient details onto an unencrypted USB stick before sticking it in the post. It may have been sent recorded delivery but the USB stick never made it to its final destination 8,000 2010-06-04 Lampeter Medical Practice Mail NHS
West Berkshire Council has had to take remedial action after losing children’s personal data The Information Commissioner's Office found it in breach of the Data Protection Act following the loss of a USB stick containing the sensitive personal information of children and young people. ? 2010-06-03 West Berkshire Council Lost Media Council
Unencrypted memory sticks and CDs containing names, addresses and dates of birth of 9,000 Barnet school children were stolen in a break-in at a council employee's house in north London. The data relating to Year 11 pupils from 2007, 2008 and 2009 included information about their educational attainment, entitlement to free school meals and home postcodes. 9,000 2010-03-03 Barnet Council Stolen Media Council
High street retailer Argos has been including the customer's full name, address, credit-card number and three-digit CCV security code unencrypted in the HTML of emails sent to customers to confirm orders placed on the Argos website. The credit card details of Tony Graham, who discovered and reported the issue to Argos, were subsequently stolen, although there's no evidence to link the theft to the Argos email. Argos refused to say how many customers were affected. 2010-03-03 Argos Email Business
Belfast office of Anglo Irish Bank accidentally emailed information on 504 customers Contained confidential information on 803 transactions carried out for 454 corporate clients and 50 individuals. 504 2009-12-07 Anglo Irish Bank Email Company
The Rural Payments Agency (RPA) has lost computer tapes containing the bank details, addresses, passwords and security questions of more than 100,000 farmers 100,000 2009-10-29 Rural Payments Agency Lost Media Council
The Ministry of Justice lost an encrypted memory stick containing budget spreadsheets which included the names, national insurance and employee numbers of 1,500 MoJ staff 1,500 2009-09-23 Ministry of Justice Lost Media Government Department
Demon Internet sent thousands of business and government subscribers an email containing 3,681 customer records on it Entries include names, emails, telephone numbers, user name and password. 3,681 2009-09-23 Demon Internet Email Company
NHS Education for Scotland have had a laptop stolen contaning unencrypted data on 6,377 applicants for medical training positions The information included names, addresses, phone numbers and summaries of the applicants, as well as monitoring information relating to equality and diversity. 6,377 2009-09-10 NHS Education for Scotland Theft NHS
Wigan Council has lost unencrypted data on 43,000 school pupils, when a laptop was stolen 43,000 2009-09-04 Wigan Council Theft Council
Home Office lost the personal details of 377,000 people on a memory stick 250,000 of the records comes from the Drug Interventions Programme and is an estimate of the number of times the programme was accessed by individuals. 377,000 2009-08-27 Home Office Lost Media Government Department
East Sussex Council have lost the names, addresses and passport numbers of 73 East Sussex Youth Orchestra musicians in a ferry toilet 73 2009-08-26 East Sussex Council Lost Document Council
Surrey County Council's adult and children's services departments has had 11 laptops and five BlackBerry phones stolen Data affecting thousands of children and families is involved. Some of this was encrypted but at least 7,000 childrens records where not encrypted. 7,000 2009-08-24 Surrey County Council Lost Laptop Council
London Borough of Sutton has lost the details of over hundred people. These included the loss of a paper file which contained personal data relating to 73 individuals receiving social care and the theft of two unencrypted laptops. One laptop contained social care data of 39 individuals and the other contained information relating to nine children being taught by a teacher employed by the council. 100 2009-08-24 London Borough of Sutton Lost Document Council
North Somerset Council have had 13 laptops stolen over the past three years, no records kept on lost USB's or CDs No records where kept of what was on the machines so it is unknown how much confidential data has been lost. 2009-08-23 North Somerset Council Stolen Laptop Council
Personal details of 36,800 people with information of 1,900 driving convictions has been stolen from Repair Management Services A laptop was stolen from a packed car. 36,800 2009-08-21 Repair Management Services Stolen Laptop Trade Association
Sensitive patient information for more than 60 patients including physical and mental states has been lost by East Cheshire NHS The records where dumped in a skip, then turned up in a garden 20 miles away. 60 2009-08-19 East Cheshire NHS Disposal Document NHS
A disk has been lost containing details on approximately 20,000 patients of the Royal Free Hampstead NHS Trust’s cardiology department. 20,000 2009-08-15 Royal Free Hampstead NHS Trust Lost Media NHS
Children's details stored on a Lincoln play group's laptop stolen Abbey Play Group have not recovered the laptop but the thief has been prosecuted. 2009-08-08 Abbey Play Group Stolen Laptop Business
Medical data on 6,000 patients has been stolen from Imperial College when six laptops stolen 6,000 2009-07-30 Imperial College Stolen Laptop University
NHS Lothian have lost information on 137 patients on a USB left in a shop 137 2009-07-30 NHS Lothian Lost Media NHS
A laptop containing confidential information on 2,000 patients was stolen from Broomfield Hospital 2,000 2009-07-30 Broomfield Hospital Stolen Laptop NHS
A laptop containing the data of approximately 26,000 casino customers of London Clubs International Limited has been stolen 26,000 2009-07-28 London Clubs International Limited Stolen Laptop Business
Stolen laptops from the the Highland Council expose 1400 patient medical records 1,400 2009-07-23 The Highland Council Stolen Laptop Council
Manchester City Council have lost a laptop containing the personal details of 1,754 employees working at local schools 1,754 2009-06-22 Manchester City Council Lost Laptop Council
A GP surgery in London has lost the details of 7,000 patients after burglars stole an external hard drive and backup tapes. The hard drive contained unencrypted files with sensitive information including names, illnesses and medical histories of the patients, it was reported. The backup tapes, containing more of the same information, were encrypted. 7,000 2009-06-16 Nightingale Practice Stolen Media NHS
Amicus Legal has had a laptop containing personal information relating to 100,000 customers stolen. The Laptop was not encrypted. The personnel information included sensitive information relating to legal advice. 100,000 2009-06-09 Amicus Legal Stolen Laptop Business
A laptop with data on 3,500 patients was stolen from Salford Royal NHS Foundation Trust. 3,500 2009-06-04 Salford Royal NHS Foundation Trust Stolen Laptop NHS
A USB memory stick containing patient letters and waiting list data for Bradford Teaching Hospitals has been lost. 5,650 patients whose details may have been stored on the device have been apologised to. 5,650 2009-06-04 Bradford Teaching Hospitals Lost Media NHS
A USB key containing the medical histories for 137 patients has been lost by NHS Lothian. The loss of data concerning copies of letters from June 2006 to June 2008 between family doctors and NHS Lothian. 137 2009-06-01 NHS Lothian Lost Media NHS
A memory stick with the names and dates of birth of 2,450 patients was misplaced by staff at Greenwich Teaching PCT, in south-east London, in January 2,450 2009-05-29 Greenwich Teaching PCT Lost Media NHS
A folder containing contact details and care packages of children was left on a wall by staff from an unidentified London Primary Care Trust 2009-05-29 Unidentified London Primary Care Trust Lost Document NHS
A laptop containing personal details of 109,000 members of the Pensions Trust stolen from a software company, NorthgateArinso. The computer was not encrypted, and live data was being used for training and software development. 109,000 2009-05-27 NorthgateArinso Stolen Laptop Business
One GP downloaded a complete patient database, including the medical histories of 10,000 people, on to an unsecured laptop. The laptop was then stolen from his home 10,000 2009-05-25 Stolen Laptop NHS
The unencrypted medical histories of 2,300 cancer patients were compromised by Hull & East Yorkshire Hospitals NHS Trust after the theft of a desktop computer and a laptop 2,300 2009-05-25 Hull & East Yorkshire Hospitals NHS Trust Stolen Laptop NHS
500 files containing highly sensitive RAF vetting records containing details of affairs, debt and drug use have been lost from RAF Innsworth in Gloucestershire 500 2009-05-25 RAF Innsworth Stolen Media RAF
A memory stick containing the names and addresses of 80 children has been lost by a council-run nursery 80 2009-05-20 Leicester City Council Lost Media Council
the names of 175 new mums who gave birth by Caesarean section, was stolen from Aberdeen Maternity Hospital. Stolen data included mothers' names, dates of caesarean section, the time of the decision to carry out the section and time of birth. The data was removed from a "confidential waste disposal bag" which was awaiting shredding. The information was returned in an anonymous package on April 29. 175 2009-05-12 Aberdeen Maternity Hospital Stolen Document NHS
A CD-Rom containing more than 1.2million digitised receipts submitted by MPs as expenses over the last 5 years was lost by (or stolen from) the House of Commons and found its way to the Daily Telegraph, which published the details in excruciating detail in a series of articles. 645 2009-05-08 Parliament Stolen Media Parliament
Cambridge University Hospital lost of an unencrypted memory stick containing medical treatment details of 741 patients after a member of staff left it in an unattended vehicle The memory stick, which was privately owned, was discovered by a car wash attendant who was able to access the contents to establish ownership. The information was downloaded without the knowledge of the Trust. 741 2009-05-05 Cambridge University Hospital Stolen Media NHS
The North West London Hospitals NHS Trust reported the theft of two laptops and in a separate incident, the theft of a desktop computer, in total containing the details of test results and hospital numbers of 361 patients. The laptops were stolen from the audiology department of Central Middlesex Hospital whilst the desktop computer was taken from the Clinical Haematology offices at Northwick Park Hospital after the hospital security's swipe card system was disabled for maintenance. The laptops and desktop computer were password protected but not encrypted. 361 2009-05-05 Northwick Park Hospital Stolen Laptop NHS
Manchester University revealed the personal records of 1,700 people which included information on some students' disabilities, when a member of staff emailed an attachment to 469 students 1,700 2009-04-29 Manchester University Email University
A laptop computer with the names, addresses and dates of birth of 1,392 patients was taken from a locked office at Aberdeen Royal Infirmary 1,392 2009-04-24 Aberdeen Royal Infirmary Stolen Laptop NHS
British intelligence officer undermined a large anti-drugs operation in South America by leaving a computer memory stick on a bus said to contain a list of undercover agents' names and details of more than five years of intelligence work 2009-04-26 Serious Organised Crime Agency (Soca) Lost Media Police
The Nightingale Practice, a GP surgery in Hackney, London had a safe stolen from its premises. The safe included full medical records of all patients which were apparently encrypted and a "computer storage unit" that was "not protected". The unit contained such information as "names of patients with certain diseases and referral letters on some patients with details of patient's medical history". (Information from letter sent out to patients) 7,000 2009-04-02 Nightingale Practice Stolen Media NHS
A problem with the security of the ContactPoint database exposed personnel data for 55,000 vulnerable children ContactPoint's shielding system was supposed to remove all details of the estimated 55,000 vulnerable children - apart from the name, sex and age - from the database, which will be available to children's services workers across the country. However, a flaw in the system meant when certain records were updated, a duplicate was created where the details were not shielded. 55,000 2009-03-25 ContactPoint Design NHS

It's in date reported to the public order at present.