Southwark Council in London has been heavily criticised by the Information Commissioner’s Office (ICO) after leaving behind the personal data of thousands of citizens in a building it had vacated.

The data on 7,200 people were stored on a single unencrypted iMac computer and paper files were forgotten during a move by the Council from a building in Spa Road in October 2009.

The data remained in the empty premises until its habitation almost two years later in June of this year, at which point it was put into skips by the new tenant. The lost data was then noticed in the skip and reported to the ICO.

Embarrassingly, as well as the usual personal data such as names, addresses and ethnicity, medical history and criminal convictions were also recorded in the mislaid data.

The ICO hinted that it might have imposed a fine had the offence not occurred before it had the power to impose such a penalty.

“The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard,” said ICO acting head of enforcement, Sally Anne Poole.

“Southwark Council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements.”

The council was also at fault for failing to even encrypt the computer data.

Earlier this year, Southwark Council lost a £2.5 million court case it had taken out against IBM for allegedly misselling it software.