|Breach of act
|Breach of the Seventh Data Protection Principle: the company failed to take appropriate measures against the accidental loss or theft of personal data.
|Known or should have known
|The company was used to dealing with large amounts of personal data on a daily basis and had taken some steps to protect it by having it password protected and taking it home overnight. However, the Commissioner’s office published guidance notes in 2007 promising enforcement action against companies suffering thefts of unencrypted data from vehicles, dwellings or inappropriate places. The company should have encrypted the data and transported it in a more secure way, such as in the boot of the car.
|Likely to cause damage or distress
|The disclosure of personal information of the data subjects to unauthorised third parties is likely to cause them substantial distress, particularly as the hard drive has not been recovered. There is also the risk of identity fraud or financial loss.