Scottish Borders Council has been fined £250,000 by the Information Commissioner’s Office (ICO) after papers containing sensitive information were found dumped in a recycling bin.
The council had employed a third party to digitise papers containing details on former employees. However the council failed to established what would happen to the paper versions of the documents.
The documents contained sensitive information including in some cases, salary and bank account details.
The company tried to dispose of 676 files in a recycling bin in a supermarket car park. However the bin was already overflowing, meaning the dumped papers were easily spotted by a member of public. A further 172 files were deposited in another recycling bin and, it is thought, destroyed in the recycling process.
The ICO decided to fine the council because the law states that even though they were not directly responsible for the disposal of the files, it was still their legal responsibility. The fine of £250,000 is one of the largest the ICO has ever handed out.
"This is a classic case of an organisation taking its eye off the ball when it came to outsourcing," said Ken Macdonald, ICO Assistant Commissioner for Scotland. "When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place."
He added that it was only "good fortune" that the records were found by someone who subsequently called the police. If the data in the files had fallen into the wrong hands, people could have been at risk of identity fraud.
Content from our partners
In a statement sent to CBR, the council said it was disappointed by the decision.
"It is very disappointing to receive such a high monetary penalty from the ICO especially in the current economic climate," said Chief Executive Tracey Logan. "We do acknowledge the seriousness of this breach and have already taken steps to ensure data protection continues to be a priority across the council."
"We are fully committed to the complying with the terms set out in the ICO’s undertaking. All contracts with suppliers are now established and monitored by our specialist central procurement staff and we will continue to train, support and raise awareness among staff and contractors on the importance of data protection," the statement added.
Logan added that the council has robust financial monitoring processes in place and always has funds in place "to cover such unforeseen costs within our reserves."
The ICO’s record fine still stands at £325,000, handed out to Brighton and Sussex University Hospitals NHS Trust after hard drives containing sensitive information were sold online. The Trust had employed a third party to dispose of the hard drives. It is appealing the decision.
