Sensitive personal details entrusted to Southwark Council were found on a computer that had been dumped in a skip, after having been misplaced for two years, according to UK data protection authority the Information Commissioner's Office.
Details of around 7,200 people who used Southwark Council services before December 2009, including medical history, criminal convictions, names, addresses, and ethnic background, were left on the computer and documents, according to the Information Commissioner's Office (ICO).
"The computer was an old Apple iMac," an Information Commissioner's Office (ICO) spokesman told ZDNet UK on Monday. "It had some security features, like password protection, but no encryption. The vast majority of details were on the computer."
The iMac and documents were left at the council's buildings at the Spa Road Complex in Southwark after the council vacated the building in December 2009. The building remained tenanted until Southwark Council sold the building on 11 May 2011. The computer and documents were found in the skip by a member of the public on 3 June, after a clean-out by the new landlord.
The member of the public who found the computer and documents reported the data loss to Southwark Council. The skip was not located in a public place, but "within the security of the complex," the ICO said in an undertaking.
The ICO has the power to fine organisations up to £500,000 for breaches of the Data Protection Act, but did not fine Southwark Council. The breach occurred before the ICO fining powers came into effect, ICO acting head of enforcement Sally Anne Poole said in a statement on Monday.
"The fact that thousands of residents' personal details went missing for over two years clearly shows that Southwark Council's policies for handling personal information are below standard," said Poole. "As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case."
The iMac was unaccounted for since 2003, after having been mistakenly removed from the council's asset register.
The council agreed on a number of measures to try to tighten up data security, including to review its decommissioning processes, and to update data protection guidance.