Following this incident, the CIPR has signed an undertaking with the ICO to develop a policy for handling personal data outside the office, which it did not previously have.
The CIPR has signed an undertaking to review its data protection policy and make sure that it is communicated to staff by the end of February.
The undertaking reads: ‘The Commissioner has also considered the fact that some of the data stolen in this incident consisted of information as to the ethnic origin of the data subjects and/or their physical or mental health or condition.’
CIPR CEO Jane Wilson said: ‘At the time of the highly regrettable loss of membership application forms in May 2011, the CIPR took swift action to find and compensate people whose identity or personal data could have been compromised. We followed up with a thorough, independent investigation and cooperated fully with the Information Commissioner’s Office.
‘We have reviewed our data handling policies and our staff training and the ICO have confirmed to us in writing that the actions we have taken were correct in the circumstances. We are very grateful for the understanding and cooperation we received from those who were affected by the loss and would like to reassure our members that steps have been taken to ensure this is highly unlikely to happen again.’