The Information Commissioner's Office has issued the Nursing and Midwifery Council a £150,000 fine after three DVDs containing "highly sensitive" data were lost in transit.
The DVDs contained video files relating to alleged offenses by a nurse and identifiable details of two children. In October 2011, they were sent by courier to the venue of a disciplinary hearing but when the package arrived the DVDs were not inside.
The data on the DVDs, which included witness interviews relating to the hearing, was not encrypted.
The ICO says that the council "had no policy in place requiring the encryption of this data either while held at its offices or during transit to the hearing venue".
The council itself says "our policy, in place at the time, required encryption. We received the DVDs from the police unencrypted but we failed to encrypt them before we sent them on. We very much regret this and have now corrected our practice".
The DVDs have still yet to be found.
The ICO levied the fine because the council had failed to take appropriate precautions to prevent such a data breach, it said, and because the nature of the data meant the breach was "likely to cause substantial distress".
The council said it was "disappointed" with the ICO's decision to levy a fine. "We regret the incident, but want to reassure the public and all our stakeholders that we recognise the importance of data protection and the need for data security," it said in a statement. "The cause of the incident is understood to have been an isolated human error."
"Since the incident we have further strengthened our policies and procedures for the secure handling of witness evidence."
"It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again," said deputy information commissioner David Smith. "I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case?"