The Information Commissioner’s Office (ICO) has reprimanded Southwark Council after residents’ personal information was found two years after going missing, when it turned up on an unencrypted Apple iMac that had been dumped in a skip.

According to the ICO the Council had misplaced the sensitive data – which contained names and addresses, information relating to ethnic background, medical history and any past criminal convictions of 7,200 people – when it move offices in December 2009.

The computer was mistakenly left in the premises, along with papers that also contained sensitive information, when the Council moved out. The building’s new tenants found the computer and papers and disposed of them in a skip, the ICO said.

They were subsequently discovered earlier this year and the incident was reported to the ICO.

The ICO has now ruled that Southwark Council breached the Data Protection Act, and although it did have information handling and decommissioning policies in place, these were not followed during the office move.

"The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard," said Sally Anne Poole, Acting Head of Enforcement at the ICO.

"As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case," she added.

The Council has agreed to make sure that all portable devices that are used to store personal information are properly protected.

Chris McIntosh, CEO ViaSat UK, said the security lapse by Southwark Council could have left local residents open to identity theft.

"This data breach further demonstrates that organisations are still woefully complacent in their handling of sensitive information. The medical history and criminal convictions of thousands of constituents in Southwark Council is information that should never make it into the public domain and has the potential to seriously disrupt the lives of those affected," he said.

"The further fact that the names and addresses of these individuals were on the unencrypted computer puts them at real risk of identity fraud. Public sector organisations such as this need to ensure that information security measures are not only implemented but more importantly followed," McIntosh added. "It is a shame that in this case the ICO is unable to use its powers to issue a financial penalty, as hopefully this will start to act as a real deterrent in the future."