Jubilee Managing Agency has signed a formal Undertaking outlining that it will take reasonable measures to keep personal information secure in future. Some of the data on the disk referred to policies, in some cases over 10 years old, that had expired or been cancelled, as well as information on policyholders who had since died or moved address.

A full investigation was carried out by the data controller. Subsequently an independent company reviewed data security arrangements at the company and found a lack of detailed data security procedures and policies, and insufficient staff training.

Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: "This case is not only a reminder that the appropriate safeguards should be in place to protect personal information, but that organisations must ensure information is accurate and up to date. Organisations should only retain personal information for as long as necessary. It is a matter of some concern to us that expired policies, including financial details, were still available and stored on unencrypted devices.

"Since November 2007, 161 data security breaches have been reported to the ICO in the private sector. We urge all CEOs and their senior management teams to ensure data protection is treated as a corporate governance issue affecting the whole organisation. All organisations need to make sure that safeguarding the personal information of customers and staff is embedded in their organisational culture."

Failure to meet the terms of the Undertaking is likely to lead to further regulatory action by the ICO.