The loss of 18,000 personal records by the Rochdale Metropolitan Borough Council highlights the fact that many organisations are still failing to put the most basic measures in place to manage their information securely, say information security experts.
The Information Commissioner's Office (ICO) has found the council in breach of the Data Protection Act for losing an unencrypted memory stick containing the data in May 2011.
In some cases, the data included residents' names and addresses, along with details of payments to and by the council. The device did not include any bank account details.
"This is not an isolated incident - other public sector organisations have recently been found guilty of being in breach of the Data Protection Act. Information on the move outside the company is at risk unless it is properly encrypted and protected from human error," said Christian Toon, head of information security Europe for security firm Iron Mountain
"This requires more than just technology; it requires the development and active implementation of robust information management policies, supported by staff training and self-regulation," Toon said.
The Rochdale Council escaped monetary penalty because the information stored on the device was not sensitive and much of it is publicly available, which means the data loss is unlikely to cause substantial distress to local people, the ICO said.
However, the ICO's investigation found the council's data protection practices were insufficient. It failed to make sure memory sticks provided to its staff were encrypted, and it had failed to provide employees with adequate data protection training.
Encrypting data and ensuring that all employees know the importance of data protection should by now be the bare minimum expected from organisations in both the public and private sectors," said Chris McIntosh, chief executive of security and communications firm ViaSat UK.
Incidents such as this should be a wake-up call to all organisations, he said, because there is no guarantee that data will never be lost, or that any data lost will turn out to be not sensitive.
"To prevent much more serious losses happening in the future, organisations need to review their processes now. Otherwise the ICO will need to use all the tools at its disposal, from auditing to civil penalties, to ensure that the correct standards are met, said McIntosh.
The Rochdale Council has signed an undertaking to put changes in place by 31 March 2012 to prevent a repeat of this kind of incident. The ICO will then check to ensure the improvements have been made.
The ICO has published guidance on the security measures that organisations should have in place when storing personal information electronically.