The Nursing and Midwifery Council has been fined £150,000 by the Information Commissioner's Office (ICO) for breaching the Data Protection Act.
Three DVDs containing confidential information about two children went missing during the process of a nurse's misconduct hearing, with an ICO investigation discovering that the data wasn't encrypted.
ICO publishes best practice code on anonymisation of data Education on data loss needed more than ICO fines, says Quest H4cked Off: ICO's Sony fine is nowt but a slap on the wrist
"The Nursing and Midwifery Council's underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk," said David Smith, deputy commissioner and director of data protection, criticising the council's handling of the matter.
"No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty."
The ICO urged organisations to take more care when handling personal data.
"It would be nice to think that data breaches of this type are rare, but we're seeing incidents of personal data being mishandled again and again," said Smith.
"While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected."
The ICO deputy commissioner stressed that organisations need to enforce robust policies when it comes to proper protection of data.
"I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case?
"If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty," he said.
The Nursing and Midwifery Council's penalty comes a month after the ICO fined Sony £250,000 for the April 2011 PlayStation Network hack. That attack compromised the personal data of millions of PlayStation users, with the fine representing a record penalty from the ICO.
However, the comparative levels of the two fines is likely to raise questions as to how the ICO decides on appropriate penalties in the event of data breaches.
When asked by Computing to explain the decision-making process behind the fines issued to the two organisations, the ICO said the figures were commensurate with its own published guidance.
"One of the key factors when deciding the value of the penalty imposed on Sony was the fact that the breach affected millions of users and could have been prevented if the software being used had been kept up-to-date," an ICO spokesman told Computing.
The ICO document states that one of the determining factors behind the levels of penalties imposed is the nature of the individuals affected. It specifically mentions data about children.
"While the Nursing and Midwifery Council breach only affected a relatively small number of individuals, it nevertheless resulted in confidential personal information being compromised. Once again the breach was preventable, as the sensitive nature of the information stored on the DVDs meant that the data should have been encrypted," the spokesman added.
The ICO announcement of the fine was accompanied by a guide for organisations about how to properly use encryption when storing data.
