Electronics retailer DSG breached the Data Protection Act when eight completed credit agreements containing customers' personal and financial data were found in or near a skip at one of the company's PC World stores, the Information Commissioner's Office (ICO) has ruled.
A local authority's environmental health department found the documents, which related to transactions made two years earlier and had been kept longer than recommended by DSG's policies for holding personal data.
The company's normal procedure for destroying sensitive documents should have seen them transported in sealed containers to a central facility for secure shredding, but this did not occur.
DSG Retail CEO John Browett has signed a formal undertaking to prevent a similar breach. The steps include a review of security procedures and training staff how to comply with the company's security policies.
ICO head of enforcement Mick Gorrill said an important principle of the act was that companies kept personal information securely and only for as long as necessary.