The ICO served the civil monetary penalty (11-page / 1.87MB PDF) on Welcome Financial Services Limited (WFSL) after finding that the company had been guilty of a serious breach of the Data Protection Act (DPA).
Details of "approximately 510,000" of WFSL customers' names, addresses, phone numbers, their dates of birth and information about their loan accounts had been stored on two unencrypted backup tapes that the company used to log its daily business activity. WFSL discovered that the tapes were "unaccounted for" last November. They have never been recovered.
The ICO said it had received 26 formal complaints about the incident and that it had factored in the "large number of records involved and the nature of the personal data", the fact the tapes are lost and were unencrypted, in contrast to the company's stated information security policy, when determining the level of fine. It is the third highest penalty the watchdog has ever issued for a breach of data protection laws.
Under the DPA organisations in control of personal data are required to take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
Under the DPA the ICO has the power to issue penalties of up to £500,000 for serious data breaches. The ICO has faced criticism that it has issued disproportionately fewer fines to private sector companies than it has to public sector bodies.
The ICO has also published its annual report (84-page / 704KB PDF) for 2011/12. The ICO has reported that it received 12,985 complaints about data protection issues during the year, which was a 0.3% reduction on the figures from the previous 12 months. The watchdog said it closed its casework on 95% of data protection cases within six months of first receiving them.
There was a 43% rise in the number of complaints the ICO received on privacy and electronic communications issues. It received 7,095 complaints in the past year compared with 4,953 in 2010/11.
The ICO said it was stepping up its efforts to enforce against companies that make unsolicited marketing calls or send out unsolicited marketing texts. It has the power to issue fines of up to £500,000 for firms that engage in that activity under the Privacy and Electronic Communications Regulations.
"We have now set up a dedicated team to enforce the Privacy and Electronic Communication Regulations and we are currently working to identify the operators responsible," Information Commissioner Christopher Graham said in a statement. "The ICO has executed search warrants at a number of sites across the UK linked to companies we believe are breaking the law."
"We have also set up an online reporting mechanism on our website that allows people to report any marketing texts or calls from unidentified senders. We have received over 12,000 reports to date and we are confident that this work will help us identify those responsible," he added.
The ICO's report also detailed a 7% increase in the number of complaints it received about compliance with the Freedom of Information (FOI) Act. The watchdog received 4,633 FOI complaints during 2011/12.
The watchdog said that it would be "extending its audits to cover public authorities' compliance with the Freedom of Information Act".
The ICO conducted 42 data protection audits on organisations last year; 60% more than during 2010/11, with 90% of those audited reporting that they thought "the process raised awareness of the importance of data protection."