Scottish Council Fined £250,000 for Data Breach

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The UK Information Commissioner's Office (ICO) has fined the Scottish Borders Council £250,000 after files containing employees' pension records were found in an overfilled recycling bin.

"It is believed more than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details," writes UKAuthority.com's Helen Olsen. "The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process."

"Scottish Borders Council employed an outside company to digitise the records, but failed to seek appropriate guarantees on how the personal data would be kept secure," writes Peeblesshire News' Graham Ford. "That prompted the Information Commissioner to use his powers under the Data Protection Act to impose a Civil Monetary Penalty of £250,000 on the Council."

"Even though the council was not responsible for dumping the papers, the Data Protection Act makes firms who employ outsourcers responsible for keeping data safe," writes TechWeekEurope's Tom Brewster. "As Scottish Borders Council did not get assurances from the outsourcer, largely because it didn’t even bother to draw up a contract, it received one of the largest fines the ICO has ever handed out."

"This is classic case of an organization taking its eye off the ball when it came to outsourcing," ICO assistant commissioner for Scotland Ken Macdonald said in a statement. "When the Council decided to contract out the digitizing of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place. It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own."