Southwark Council lost personal data records of thousands of people after papers and a computer were left in its old office.

The records, which include information on ethnicity, physical and mental health, and criminal convictions, were reported to the ICO in June this year after they were discovered in a skip, cleared out from the old council office.

”It appears the data controller failed to correctly locate and dispose of the iMac and paper records in question upon vacating the property, despite a formally documented decommissioning procedure,” read the data protection undertaking that Annie Shepperd, the chief executive of the Borough of Southwark, signed for the ICO. “These items were subsequently discovered by the new landlord upon cleansing the property, and disposed of in the skip, where they were later discovered.”

The ICO said that highly sensitive and confidential information had been stored inappropriately, as the information on the iMac was not encrypted, meaning that it could be read by anybody accessing the computer.

“The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard,” said Sally-Anne Poole, the acting head of enforcement at the Information Commissioner’s Office.

The information was lost before the ICO received the power to give fines for breaches of the DPA, so Poole said that the ICO couldn’t issue a fine. The ICO can now issue fines of up to £500,000 for breaches of the Data Protection Act.