The Southwark Council in south-east London has been found guilty of breach of the Data Protection Act, the Information Commissioner's Office informed.
The council had lost personal details like medical information belonging to around 7,000 thousand people for more than two years. The information was stored in a computer and some documents which were discovered by someone in an office from where the council had moved.
Luckily for the council, the data breach had taken place before the ICO had been given new powers to fine organisations found guilty of data breach. Nonetheless, the council has been chastised by the ICO and the council in turn has agreed to an audit by the ICO.
The information lost by the council over the two year period includes people's names and addresses, medical records and other data like ethnic background and past criminal records.
"The fact that thousands of residents' personal details went missing for over two years clearly shows that Southwark Council's policies for handling personal information are below standard," said Sally Anne Poole, acting head of enforcement at the ICO reports BBC News (opens in new tab).
The Southwark council, in its defence, claims that it had started an internal investigation when it was made aware of the data breach and assured that it had implemented new methods to better handle data and protect privacy.