Laptops were still unaccounted for
Sixteen items of lost or stolen documents from the Welsh Assembly Government have been recorded in the last three years, say officials.
Ten of the losses classed as "medium to low risk", including a laptop, took place in 2008, according to details obtained by the Conservatives.
The missing data said to be of medium risk included a briefcase of "various papers" left on a train.
The assembly government said it had always taken data protection seriously.
Other information deemed medium risk, which was lost in the past year, included a hard copy file about a property and a personnel file containing a member of staff's employment history.
A personnel file lost by the HR department, business information from the department for economy and transport and papers belonging to the assembly's legal services department were also lost.
Darren Millar, the Conservative assembly member for Clwyd West, was given the details after making a request under the Freedom of Information Act (FoI).
He said the assembly government needed to review its policies and procedures quickly.
Mr Millar said: "I find it interesting the Welsh Assembly Government does not feel that any of the losses are high risk, especially when you consider that personnel files usually contain sufficient information for identity fraud, including bank details, and that the contents of the lost legal briefcase have not been identified.
"If these are not high risk then what are?"
Among the items said to be low risk were a stolen laptop containing non-commercially sensitive information and files on properties which had been offered improvement grants from the economy department.
Four hard copy files belonging to the department for children and education and meeting papers were among other documents in an assembly government van which was stolen.
Meanwhile, laptops containing non-official personal data are "unaccounted for".
Mr Millar added: "I had hoped that the increasing public concern over these matters would have encouraged assembly government departments to be all the more careful and vigilant with the information in their care."
A spokeswoman for the assembly government said it has always taken data protection seriously, not only complying with the Data Protection Act, but also "delivering the commitment" to always respect privacy as contained within its code of practice on public access to information.
"While the majority of the losses concern business-related information rather than personal data all of the incidents have been fully investigated and reviewed and no systemic failure has been identified," said the spokeswoman.
"This suggests that reporting has increased due to raised awareness of the issue."
She said all staff received training and regular briefings on information security and data protections. She added that policies and procedures were regularly audited.
Last August, Mr Millar revealed he had found patient documents in a communal area of a block of flats in Cardiff.
Cardiff and Vale NHS Trust launched an investigation.