Loss of personal data.
A hard drive purchased from the Internet contained personal data relating to S&S clients.
Undertaking issued to ensure that any redundant hard drives and removable media devices used to store personal data are forensically wiped or completely destroyed before being disposed of or reused. The details of any such items must be logged.
Reason for action
S&S could not confirm how the hard drive had ended up in the public domain. It also transpired that the data controller did not have an adequate data protection policy in place at the time of the incident and further, that it did not have a drive disposal procedure. The data controller did not keep a record of any decommissioned equipment.
25 Apr 2012