The Information Commissioner's Office (ICO) says that the data was lost by Zurich Insurance South Africa during a routine transfer to a data storage centre in South Africa in August of 2008.
The incident was not reported to Zurich Insurance's headquarters for over a year, according to the ICO, which says that an internal investigation revealed a number of inadequately managed IT security procedures at the company's operations centre.
As a result of the investigation, Stephen Lewis, UK branch manger of Zurich Insurance, has signed an undertaking with the ICO, pledging that his company will ensure that relevant data security procedures – including encryption systems – are in place before data is moved.
The insurer has also agreed to monitor and promptly report any data security weaknesses or breaches, and ensure that staff plus any external contractors are made aware of security procedures.
Sally-Anne Poole, head of enforcement and investigations at the ICO, said that it vital that organisations ensure that effective safeguards are in place to protect personal information.
"Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers' trust and confidence", she said.
Chris McIntosh, CEO of data encryption expert Stonewood said that your have to wonder why organisations have not yet realised that if they are moving sensitive data around it has to be encrypted.
"After all the incidents we have had in the last few years, you would have thought people would have learned", he said.
"However, its good to see the ICO becoming more strict and making these rulings as it highlights the need for organisations to ensure that the security of the data they hold is airtight at every single step in that data's lifecycle", he added.
According to McIntosh, this goes beyond ensuring that company laptops are encrypted and that data is not transferred onto portable devices.
"If a storage device, whether a PC hard drive, a USB stick or a backup tape, could hold personal data at any point, then that device needs to be as secure as possible. This means using encryption, and implementing policies to make any loss or security breach as difficult and as inconsequential as possible", he said.
"This is especially important when operating in regions such as South Africa which, unfortunately, has a reputation for data theft and fraud", he added.