BURGLARS stole eight laptops from police, which contained sensitive information on 4,500 criminals.
The computers were taken from an office used by a team called the East Midlands Collaborative Unit, which shares intelligence and plans resources across police forces.
The burglars and the laptops have never been traced
All of the laptops were password protected and on six of them the data files were encrypted. However, two computers contained sensitive files which were not encrypted.
Inspectors at data watchdog the Information Commissioner's Office (ICO) say the incident has "implications on a national scale" for similar police projects.
The ICO revealed the theft this week when they issued the chief constables of three forces involved with the programme, including Chris Eyre at Notts Police, with orders to improve procedures.
Thieves took the laptops from a Newark office being used by the unit in August 2010 but the break-in was not made public until this week.
The ICO launched an investigation and has now said a lack of planning of the setup of the unit at the time was "concerning".
Notts Police and other East Midlands' forces have improved collaboration since 2008 to better share intelligence and resources and save cash as Government cuts bite.
But the ICO now says it is raising the Newark incident with the Association of Chief Police Officers because of similar risks elsewhere.
Meagan Mirza, ICO Group Manager, said: "Our investigation found that there was no formal basis for the sharing of personal data within the unit and no apparent recognition that the police forces remained responsible for the data they were processing.
"In many cases it wasn't clear why the information was needed in the first place and this was compounded by the fact that there was no clear identified purpose for the unit.
"While many of these issues have now been addressed, the lack of planning around the setup of the unit is concerning."
The laptops were stolen when burglars smashed a glass panel in a door at the offices in Stephenson Court, off Stephenson Way, Newark on Saturday, August 14, 2010.
The offices are not used by the unit any more.
Afterwards the East Midlands Police Collaboration Programme (EMPCP), as it is now known, voluntarily referred the incident to the ICO.
The ICO said the laptops held prison records and "offender details" relating to about 4,500 people from across the East Midlands.
Neither the EMPCP not the ICO would further discuss what was on the computers.
The resulting ICO 'enforcement notices' have been issued to Chris Eyre, Derbyshire chief Mick Creedon and Leicestershire chief Simon Cole because they are the 'data controllers' of their organisations under information rules.
Mr Eyre's notice requires him to give the ICO assurances on four points within 35 days.
These include that personal data is only shared under collaborative projects after an official has made security and data checks.
In the notice, David Smith, Deputy Information Commissioner said: "The individuals whose sensitive personal data has been stolen are likely to have suffered worry and anxiety on account of the risk that their data will come into the possession of unauthorised individuals.
"Whilst there is no evidence that damage has been caused there was a significant risk that it could have been."
A spokesman for the EMPCP said: "Each of the four recommended actions had already been addressed prior to the publication of the enforcement notice and that is progressing.
"It should be also noted that the data held on the computers would not have been readily accessible to third parties because of password protection.
"Nevertheless, we have conducted a thorough review of our information handling procedures.
"The EMPCP will now review the Enforcement Notice in conjunction with the East Midlands forces."
What do you think about this story? Let us know your views by emailing us at newsdesk@nottinghampostgroup.co.uk