The Information Commissioner's Office (ICO) has found the London Borough of Sutton in breach of the Data Protection Act.
The ICO found that Sutton Council had lost sensitive data about children and adults receiving social care in four separate incidents in the past two years.
The data was stored on two unencrypted laptops that were stolen, a paper file that was misplaced and a package of documents lost by a courier service.
Paul Martin, chief executive of Sutton Council, has agreed to ensure that portable and mobile devices used to store personal data are encrypted.
The council has also agreed to ensure security measures are adequate to protect personal information and to raise staff awareness of data protection.
"We have started a programme of training to ensure all of our staff who have access to personal data are fully aware of the importance of keeping it safe," he said.
Sally-anne Poole, head of enforcement and investigations at the ICO, called on all organisations to implement the appropriate safeguards to ensure personal details are stored and processed securely.
Sutton Council has signed an undertaking to assure the ICO that personal data will be kept securely in future.