A computer and papers containing the personal information of 7,200 people were discovered in a skip earlier this year, according to the Information Commissioner's Office (ICO).
After they were left at a vacant office by Southwark Council, they were disposed of by the building's new tenant seven months later. The information stored on the computer and featured in the papers included names and addresses, along with other information relating to ethnic background, medical history and criminal convictions.
The ICO's inquiries found that while the council did have information handling and decommissioning policies in place, they were not followed when the offices were vacated. The council also failed to make sure the information stored on the computer was encrypted.
Sally Anne Poole, acting head of enforcement, said: “The fact that thousands of residents' personal details went missing for over two years clearly shows that Southwark Council's policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties, we are unable to consider taking more formal action in this case.”
Chris McIntosh, CEO of ViaSat UK, said: “This data breach further demonstrates that organisations are still woefully complacent in their handling of sensitive information. The medical history and criminal convictions of thousands of constituents in Southwark Council is information that should never make it into the public domain and has the potential to seriously disrupt the lives of those affected.
“The further fact that the names and addresses of these individuals were on the unencrypted computer puts them at real risk of identity fraud. Public sector organisations such as this need to ensure that information security measures are not only implemented, but, more importantly, followed. It is a shame that in this case the ICO is unable to use its powers to issue a financial penalty, as hopefully this will start to act as a real deterrent in the future.”