Loss of personal data.
Training manuals posted on the data controller’s website contained actual, rather than fictitious or anonymised personal data.
Undertaking issued to ensure that no documents containing personal data shall be placed on the data controller’s website and that staff will be made aware of IT security policies by no later than the 30th of September 2012.
Reason for action
The breach was discovered in July 2011 but the manuals had been live on the website since February 2011. During the investigation it became clear that only around 20% of staff had made use of the training materials available to them.
01 March 2012.