The London Borough of Southwark Council breached the Data Protection Act by misplacing a computer and papers containing 7,200 peoples’ personal information which were discovered in a dumpster earlier this year.
In a press release issued today , the Information Commissioner’s Office (ICO) said the computer and papers were mistakenly left at one of the council’s buildings at the Spa Road Complex in Southwark when it was vacated in December 2009. They were then discovered in June of this year and disposed of by the building’s new tenant. The information stored on the computer and featured in the papers included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions.
The breach was reported to the ICO on 3 June 2011 shortly after the information was discovered. The ICO’s inquiries found that, while the council did have information handling and decommissioning policies in place, the policies were not followed when the offices were vacated. The council also failed to make sure the information stored on the computer was encrypted and could not account for the computer after 2003.
The authority signed an undertaking agreeing to take action to keep the personal information it handles secure. This includes introducing new processes governing the transfer and disposal of personal information and making sure that all portable devices used to store sensitive information are fully protected.
The council has also agreed to an ICO audit in the new year to help them improve their compliance with the Data Protection Act.
Source: Information Commissioner’s Office.