As a follow-up to a breach reported previously on this blog, the Chartered Institute of Public Relations has signed an undertaking with the Information Commissioner’s Office.
From the undertaking:
In May 2011, the Information Commissioner (the “Commissioner”) became aware of an incident involving the loss of up to 30 CIPR membership application forms.
A member of the data controller’s staff was taking the forms home to input the details remotely onto CIPR systems, but accidentally left them on the train. Amongst other information, some of the documents contained sensitive personal data in the form of optional tick boxes. In a small number of cases, the documents also contained instructions for membership fee payment. Investigations revealed that at the time of the incident, there was no written policy in place to cover working away from the office, and several other of the data controller’s procedures for handling personal data were also found to be lacking.