The Information Commissioner's Office (ICO) has fined the Nursing and Midwifery Council £150,000 after it lost three DVDs containing details of a nurse's misconduct hearing.
The fine, coming just a few weeks after a £250,000 for Sony, underlines the ICO's willingness to go after private organisations in its efforts to clamp down on shoddy data handling practices.
According to the ICO, the DVDs contained confidential personal information about the nurse and included evidence given by two vulnerable children.
The council used a courier to deliver the DVDs as evidence pertaining to the 'fitness to practise' case to the hearing venue. When the packages arrived, the disks were missing but the packages showed no signs of tampering.
Subsequent investigations by the ICO uncovered that the DVDs had not been encrypted and they have never been recovered, despite extensive searches.
These glaring lapses in security exasperated deputy commissioner of the ICO, David Smith, who said the watchdog is fed up with seeing such basic errors being made.
"It would be nice to think that data breaches of this type are rare, but we're seeing incidents of personal data being mishandled again and again," he said.
"While many organisations are aware of the need to keep sensitive paper records secure, they forget personal data comes in many forms, including audio and video images, all of which must be adequately protected."
Smith urged organisations to think carefully about their data protection polices, or they could end up in a similar position to the Midwifery Council.
"Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case? If the answer to any of those questions is no, then the organisation risks a data breach and a possible weighty monetary penalty."
"[In this case] no policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered."
"Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty."
The NMC said it was "disappointed" with the fine but said it had learnt lessons from the incident.
"Our policy, in place at the time, required encryption. We received the DVDs from the police unencrypted but we failed to encrypt them before we sent them on. We very much regret this and have now corrected our practice," it said.
"The cause of the incident is understood to have been an isolated human error."
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix