The Information Commissioner’s Office is investigating the health and social care charity change, grow, live after accusations were made that it left more than 100 sensitive beneficiary records behind during an office move.
The landlord of CGL’s office in Ashton-under-Lyne near Manchester, which the charity vacated in November, found the records in an old filing cabinet when he visited the property two weeks ago, according to the Manchester Evening News.
He estimated that there were between 150 and 200 records dating back more than 10 years, containing names, addresses and case review notes detailing beneficiaries’ struggles with abuse and drug addiction, the newspaper reported.
The landlord claimed that he contacted both CGL and Tameside Metropolitan Borough Council, which had given CGL the contract, but neither was interested in having the files returned.
CGL took over the contract in Tameside when it absorbed the previous contract holder, Lifeline Projects, which collapsed last year.
Third Sector understands the ICO has been in contact with CGL, Tameside council and the landlord in connection with the issue.
An ICO spokeswoman said: "Organisations have a legal duty to ensure they take appropriate organisational and technical measures to ensure that personal data is held securely. This is even more important in the case of sensitive personal information.
"We have been made aware of an issue relating to the discovery of documents in Tameside and will be making further enquiries."
Kevin Crowley, executive director of CGL, told Third Sector the charity had now viewed the records to assess what they contained.
He said: "It was immediately clear to us that these materials should have been properly identified and secured by change, grow, live when we vacated the premises in November last year.
"Although initial indications are that the data is archival in nature and relates to service users who had accessed services provided by a previous provider at these premises, this does not diminish our responsibility for properly securing the data, nor does it diminish our determination to do a full root-and-branch review to ensure that this can never happen again."
He said the data was now being stored securely by Tameside council and the charity was liaising with the local authority and the ICO.
The Charity Commission said it would be looking into the situation.
"Any breach of data protection within a charity is of serious concern, putting beneficiaries at risk and undermining public trust and confidence," a commission spokeswoman said.
"The trustees should consider reporting this to the commission as a serious incident, and we will be contacting them to seek further information on this matter."
The council did not respond to a request for comment before publication of this story.