The information Commissioner's office has found the British Council in breach of the Data Protection Act for losing an unencrypted disk containing personal data of more than 2,000 employees.
The disk was lost in December 2008 while being transported by a courier service employed by the British Council, which reported the data breach to the ICO.
Data on the disk included trade union membership and bank account details, which the ICO said could cause significant distress to the individuals concerned.
The British Council has acknowledged that it did not take any measures to safeguard the personal data on the disk.
The British Council has signed a formal undertaking to take reasonable measures, including disk encryption, to keep personal information safe in future.
The ICO has ordered a number of organisations to sign undertakings following breaches of the Data Protection Act.