Why did those employees have access to such sensitive data? We could argue about the legal requirement to submit this data in general, but I really don't understand why (most of) this data isn't stored in an encrypted way and only accessible by a few people in the company.