The ICO has legal powers to ensure that organisations comply with the requirements of the Data Protection Act. It is important to note that these powers are focused on ensuring that organisations meet the obligations of the Act.
16 June 2009
A formal undertaking has been signed by Manchester City Council, agreeing to comply with the seventh data protection principle. This follows the loss of a laptop computer containing personal data relating to 1,754 school-based staff from the internal audit office at the Town Hall last October.
View PDF of the Manchester City Council Undertaking.
9 June 2009
A formal Undertaking has been signed by Amicus Legal Ltd of Colchester, agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted laptop computer, which was owned by a consultant contracted to Amicus Legal Ltd, containing personal data relating to some 100,000 of the company's clients.
View PDF of the Amicus Legal Limited Undertaking.
4 June 2009
A formal undertaking has been signed by Salford Royal NHS Foundation Trust agreeing to comply with the seventh data protection principle. This follows the theft of a desktop computer containing the personal data of approximately 3500 of the Trust’s patients.
View PDF of Salford Royal NHS Foundation Trust's Undertaking.
22 May 2009
A formal undertaking has been signed by First Response Finance Ltd agreeing to comply with the first and third data protection principles. This follows a compaint regarding a form asking an employer for excessive details, the form has now been changed.
View PDF of the First Response Finance Ltd Undertaking.
12 May 2009
A formal undertaking has been signed by Leicester City Council, agreeing to comply with the seventh data protection principle. This follows the loss of an unencrypted memory stick containing sensitive personal data relating to children at a Council-run nursery.
View PDF of Leicester City Council’s undertaking.
30 April 2009
Cambridge University Hospital NHS Foundation Trust, Central Lancashire Primary Care Trust, North West London Hospitals NHS Trust and Hull & East Yorkshire Hospitals NHS Trust have all signed formal Undertakings outlining that they will process personal information in line with the Data Protection Act. The organisations will implement a number of security measures to protect personal information more effectively. With immediate effect, all portable and mobile devices used to store and transmit personal data must be encrypted.
View PDF of the Cambridge University Hospital NHS Foundation Trust undertaking
View PDF of the Central Lancashire Primary Care Trust undertaking
View PDF of the North West London Hospitals NHS Trust undertaking
View PDF of the Hull & East Yorkshire Hospitals NHS Trust undertaking.
30 April 2009
A formal undertaking has been signed by Doncaster Primary Care Trust agreeing to comply with the seventh data protection principle. This follows the unauthorised removal of an obsolete out of hours GP service voice recording server that held the personal data of patients of the data controller. The server, which held 220000 clinical voice records, was later returned and it seems unlikely that the records were accessed.
View PDF of the Doncaster Primary Care Trust undertaking
30 April 2009
A formal undertaking has been signed by Leasowes Community College agreeing to comply with the seventh data protection principle. This follows the loss of an unencrypted USB memory stick containing the personal data of 1500 college pupils. The memory stick, which had been used in breach of college policy, was later recovered after being found by a member of the public.
View PDF of the Leasowes Community College undertaking
21 April 2009
A formal undertaking has been signed by The University of Manchester, agreeing to comply with the seventh data protection principle. This follows the accidental publication of a computerised spreadsheet which contained the personal data of some 1,755 students. The data was emailed in error to some 469 students.
View PDF of the University of Manchester undertaking
17 April 2009
A formal undertaking has been signed by The British Council, agreeing to comply with the seventh data protection principle. This follows the loss, in transit, of an unencrypted computer data storage disc which contained the personal details of some 2,000 staff of the British Council.
View PDF of the British Council undertaking
27 March 2009
A formal undertaking has been signed by St Georges Healthcare NHS Trust, agreeing to comply with the seventh data protection principle. This follows the theft of laptop computers containing the personal data of approximately 22000 of the Trust’s patients.
View PDF of the St Georges Healthcare NHS Trust undertaking
25 March 2009
A formal undertaking has been signed by Stockport NHS Foundation Trust, agreeing to comply with the seventh data protection principle. This follows the theft of a laptop computer containing the personal data of 1588 of the Trust’s patients.
View PDF of the Stockport NHS Foundation Trust undertaking
24 March 2009
A formal undertaking has been signed by 2gether NHS Foundation Trust, agreeing to comply with the seventh data protection principle. This follows the theft of a laptop computer and a memory stick containing the personal data of 56 of the Trust’s patients.
View PDF of the 2gether NHS Foundation Trust undertaking
23 March 2009
The Information Commissioner’s Office has issued an Enforcement Notice against Camden Primary Care Trust (PCT) following a breach of the Data Protection Act. Computers containing 2,500 individuals’ names, addresses and medical diagnoses were left beside a skip inside the grounds of St. Pancras Hospital in August 2008.
View PDF of the Camden Primary Care Trust Enforcement Notice
6 March 2009
The ICO has today issued an Enforcement Notice against Mr Ian Kerr trading as The Consulting Association. This follows an ICO investigation that uncovered a database held by The Consulting Association containing personal details on 3,213 construction workers. The details were used by over 40 construction companies to vet individuals for employment.
View PDF of the Consulting Association Enforcement Notice
13 February 2009
A formal undertaking has been signed by Hastings and Rother Primary Care Trust, agreeing to comply with the seventh data protection principle. This follows the theft of a desktop computer containing the personal data of a number of the Trust’s patients.
View PDF of the Hastings and Rother Primary Care Trust undertaking
5 February 2009
A formal undertaking has been signed by Brent Teaching Primary Care Trust, agreeing to comply with the seventh data protection principle. This follows the theft of two unencrypted laptop computers containing the personal data of 389 of the Trust’s patients.
View PDF of the Brent Teaching Primary Care Trust undertaking
22 January 2009
The ICO has required the Home Office to sign a formal undertaking after a contractor employed by the Home Office, PA Consulting, lost an unencrypted memory stick holding sensitive personal details of thousands of individuals in August 2008. The Undertaking has been signed on behalf of the Home Office by Sir David Normington, the Permanent Secretary.
View PDF of the Home Office undertaking
A formal undertaking has been signed by Abertawe Bro Morgannwg University NHS Trust, agreeing to comply with the seventh data protection principle. This follows the theft of an unencrypted laptop computer containing the personal data of more approximately 5000 of the Trust’s patients.
View PDF of the Abertawe Bro Morgannwg University NHS Trust undertaking
The Information Commissioner's Office has required the Tees Esk and Wear Valleys NHS Foundation Trust to sign a formal undertaking after finding the organisation in breach of the Data Protection Act 1998. The data breach involved an incident which resulted in the loss of an unencrypted data stick, by a contractor, with various patient and staff personal data on it. A member of the public found the data stick which was later returned to the Trust.
View PDF of the Tees Esk and Wear Valleys NHS Foundation Trust undertaking
20 January 2009
The Information Commissioner's Office has required Hampshire Partnership NHS Trust and Southampton City PCT to sign formal undertakings after finding the organisations in breach of the Data Protection Act 1998. The data breaches involved an incident which resulted in the loss of payslips containing employee personal data from both trusts.
View PDF of the Hampshire Partnership NHS Trust undertaking
View PDF of the Southampton City PCT undertaking
18 December 2008
The Information Commissioner's Office has found Leonard Cheshire Disability in breach of the Data Protection Act. This follows their failure to adequately respond to a subject access request made by one of their service users. The ICO has issued Leonard Cheshire Disability with an Enforcement Notice which requires them to comply with the subject access request. Leonard Cheshire Disability have now complied with this Enforcement Notice.
View PDF of the Leonard Cheshire Disability Enforcement Notice
26 November 2008
The Information Commissioner’s Office has required NHS Tayside and NHS Lanarkshire to sign formal undertakings after finding the organisations in breach of the Data Protection Act. The ICO was alerted to data breaches earlier this year when members of the public found confidential health records in buildings on the site of the former hospitals.
View PDF of the NHS Tayside undertaking
View PDF of the NHS Lanarkshire undertaking
30 September 2008
A formal undertaking has been signed by Virgin Media Limited, agreeing to comply with the seventh data protection principle. This follows the loss of an unencrypted compact disc containing the personal data of more than 3000 Virgin Media customers.
View PDF of the Virgin Media undertaking
25 September 2008
The Information Commissioners Office is today serving an Enforcement Notice against the Department of Communities and Local Government for contravening the Data Protection Act 1998 in relation to their response to a subject access request received by them.
View PDF of the Department of Communities and Local Government Enforcement Notice
15 July 2008
The The Information Commissioner’s Office (ICO) is today serving enforcement notices against HM Revenue and Customs and the Ministry of Defence following recent high profile data breaches.
View PDF of the HMRC Enforcement Notice
View PDF of the MoD Enforcement Notice
14 July 2008
The Commissioner has cancelled the Enforcement Notice dated 23 January 2008 served on Marks and Spencer PLC following receipt of a letter dated 8 July 2008 confirming that they have now completed the process of laptop hard drive encryption required by the Enforcement Notice.
View PDF of letter from Marks and Spencer PLC dated 8 July 2008 and Cancellation Notice dated 14 July 2008
10 April 2008
A formal undertaking has been signed by the Royal British Legion Club in Shirley, West Midlands, agreeing to comply with the seventh data protection principle, in accordance with their procedures.
View PDF of the Royal British Legion Club undertaking
22 February 2008
The ICO investigation into complaints against Loans.co.uk has completed. Appropriate regulatory action has been taken and an ex-employee of the company has been formally cautioned for a criminal offence of unlawful disclosure of personal data contrary to section 55 of the Data Protection Act 1998.
21 February 2008
The Information Commissioner's Office has found Skipton Financial Services in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 14,000 SFS customers.
View PDF of the Skipton Financial Services undertaking
25 January 2008
The Information Commissioner's Office has found Marks & Spencer PLC in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees. The ICO has now issued Marks & Spencer with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April
2008.
View PDF of the Marks & Spencer Enforcement Notice
16 January 2008
The ICO has found Carphone Warehouse, and its sister company TalkTalk, in breach of the Data Protection Act after investigating complaints concerning the way in which both organisations processed and stored personal information.
View PDF of the Carphone Warehouse Enforcement Notice
View PDF of the TalkTalk Telecom Enforcement Notice
20 December 2007
Following the issuing of Enforcement Notices against four police forces, the Information Commissioner has now issued an Enforcement Notices against a fifth police force requiring it to delete old conviction data.
View PDF of the Greater Manchester Police Enforcement Notice
11 December 2007
The ICO has required the Department of Health to sign a formal undertaking to comply with the principles of the Data Protection Act.
View PDF of the Department of Health undertaking
13 November 2007
The ICO has required the FCO to sign a formal undertaking to comply with the principles of the Data Protection Act.
View PDF of the Foreign and Commonwealth Office undertaking
1 November 2007
After investigating complaints from four individuals, the ICO has issued Enforcement Notices to Humberside, Northumbria, Staffordshire and West Midlands Police. The Information Commissioner’s Office (ICO) has ordered the police forces to delete old criminal convictions from the Police National Computer (PNC).
View PDF of the Humberside Police Enforcement Notice
View PDF of the Northumbria Police Enforcement Notice
View PDF of the Staffordshire Police Enforcement Notice
View PDF of the West Midlands Police Enforcement Notice
9 July 2007
The Northern Ireland Office has signed an undertaking in relation to their response to future Subject Access requests received by them.
View PDF of Northern Ireland Office undertaking
23 May 2007
Following an investigation into the alleged sharing of user names and passwords by Customer Service Representatives at one of the company’s call centres, the Information Commissioner's Office has required Orange Personal Communications Services Ltd to sign a formal undertaking to comply with the principles of the Data Protection Act.
View PDF of Orange undertaking
21 May 2007
A customer of Littlewoods Shop Direct Home Shopping Ltd had complained to the ICO regarding receipt of unsolicited mailings. The company had, on two previous occasions, given an assurance that the customer’s details had been removed from their customer lists yet despite this (the complainant) still received unwanted mail from them. The company have signed an undertaking agreeing to suppress the customer’s details from all company databases and to review procedures to ensure customer rights under Section 11 of the Data Protection Act 1998 are upheld.
View PDF of Littlewoods undertaking
17 May 2007
Since April 2005, the ICO have received six separate complaints regarding the inappropriate disposal of confidential personal data at different branches of Phones4U. Following an investigation into the latest incidents in Coventry and Swindon, the company agreed to sign an undertaking to ensure their future compliance with the Seventh Data Protection Principle.
View PDF of Phones4U undertaking
23 April 2007
The ICO recently received a complaint that personal data had been recovered from unsecured waste bins outside the premises of Cash Generators in Bridge Street, Nuneaton.
Items removed included paperwork showing the names and addresses and other information linked to purchases made at the premises.
Following an investigation into the matter, the Director of the company agreed to sign an undertaking to ensure the company's future compliance with the Data Protection Act.
View PDF of Dipesh Ltd (trading as Cash Generator) undertaking
13 March 2007
Following an investigation into the disposal of customer's information the Information Commissioner's Office has required the following companies to each sign a formal undertaking to comply with the principles of the Data Protection Act.
Failure to meet the conditions of the undertaking is likely to lead further enforcement action by the ICO and could result in prosecution by the Office.
Further information can be found by reading the press release.