|Breach of act
|Breach of the seventh principle: the Council failed to take appropriate organisational measures against the accidental loss of 1,000 documents, some of them containing sensitive personal data.
|Known or should have known
|The NHS trust was used to handling sensitive personal data and would have known such information was stored on the site but did not take ‘reasonable steps’ to safeguard the data such has having a decommissioning policy.
|Likely to cause damage or distress
|There was the potential for substantial distress as data subjects would know that their sensitive personal data had been accessed by an unauthorised party and that the data might be further disseminated. This was exacerbated as some data subjects were known to the data controller.