The ICO has obtained undertakings from the South Western Ambulance Service (SWAS), concerning the implementation of data sharing policies and security measures, following an incident involving seven disks containing sensitive patient data relating to over 45,000 individuals. SWAS safely sent the disks by recorded delivery to a Clinical Commissioning Group (CCG). It was subsequently discovered that the disks were unencrypted and the ICO’s view was that this presented a potential security risk. In addition and not often seen, the ICO also queried the legal basis on which this data was shared with CCG. The ICO’s view was that there was no justifiable legal reason for CCG to access this data and that additional data fields requested by CCG risked SWAS providing excessive information to CCG.