Loss of personal data.
Around 2,100 records.
An unencrypted disc containing personal data was lost.
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Personal data must not be kept any longer than absolutely necessary. Written data protection procedures must adopted. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.
Reason for action
The disc was unencrypted and contained data relating to policies which had expired, or been cancelled, in some cases over 10 years ago. An investigation revealed that staff had insufficient internal training.
23 June 2009