View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data
September 11, 2012

ICO slaps Scottish council with £250,000 fine

Papers containing sensitive information were dumped in a recycling bin

By Steve Evans

Scottish Borders Council has been fined £250,000 by the Information Commissioner’s Office (ICO) after papers containing sensitive information were found dumped in a recycling bin.

The council had employed a third party to digitise papers containing details on former employees. However the council failed to established what would happen to the paper versions of the documents.

The documents contained sensitive information including in some cases, salary and bank account details.

The company tried to dispose of 676 files in a recycling bin in a supermarket car park. However the bin was already overflowing, meaning the dumped papers were easily spotted by a member of public. A further 172 files were deposited in another recycling bin and, it is thought, destroyed in the recycling process.

The ICO decided to fine the council because the law states that even though they were not directly responsible for the disposal of the files, it was still their legal responsibility. The fine of £250,000 is one of the largest the ICO has ever handed out.

"This is a classic case of an organisation taking its eye off the ball when it came to outsourcing," said Ken Macdonald, ICO Assistant Commissioner for Scotland. "When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place."

He added that it was only "good fortune" that the records were found by someone who subsequently called the police. If the data in the files had fallen into the wrong hands, people could have been at risk of identity fraud.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

In a statement sent to CBR, the council said it was disappointed by the decision.

"It is very disappointing to receive such a high monetary penalty from the ICO especially in the current economic climate," said Chief Executive Tracey Logan. "We do acknowledge the seriousness of this breach and have already taken steps to ensure data protection continues to be a priority across the council."

"We are fully committed to the complying with the terms set out in the ICO’s undertaking. All contracts with suppliers are now established and monitored by our specialist central procurement staff and we will continue to train, support and raise awareness among staff and contractors on the importance of data protection," the statement added.

Logan added that the council has robust financial monitoring processes in place and always has funds in place "to cover such unforeseen costs within our reserves."

The ICO’s record fine still stands at £325,000, handed out to Brighton and Sussex University Hospitals NHS Trust after hard drives containing sensitive information were sold online. The Trust had employed a third party to dispose of the hard drives. It is appealing the decision.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.