The CQC has admitted that sensitive personal data stolen from its Newcastle office in July may never be recovered.
An internal review conducted following the theft of 500 criminal record checks identified a number of issues, including failure to recognise information risk, non-compliance with CQC’s own information security policy and a failure to follow and manage the project plan for the office refurbishment project during which the loss occurred.
The CQC said work needed to be done to ensure that all its staff understood best practice on information security and reflected this in their every day practice.
Six recommendations were made by the review: the first five of these relate to information risk management, incident response management and supply chain risk management, while the sixth is that CQC should embark on a programme of security culture change in order to become an exemplary information security organisation.
The CQC said all recommendations were being followed up and incorporated into a wider programme of work to embed information security and governance into its culture.
This includes working with other organisations to identify good practice, staff training and organisational spot checks.
The CQC will also publish a response setting out its actions to ensure that its recommendations are addressed.
It concluded: “The organisation is committed to ensuring that every possible step is taken to guard against any future data security breaches.”