recent work

Staff pensions records lost – Council fined £250k

The Information Commissioner’s Office (ICO) has confirmed that it has issued Scottish Borders Council with a £250,000 fine following the loss of pension records, bank details and salary information.

A report on confirmed that 676 files were recovered from supermarket recycle bins after being spotted by a member of the public. And another 172 files were said to have been destroyed in the recycling process.

The council had used an external company to digitise the records, but the ICO said the authority had failed to seek appropriate guarantees on how the personal data would be kept secure, despite this being required under UK data protection laws.

The regulator found that no contract had been put in place with the third party processor. It also said no guarantees had been sought by the council on the technical and organisational security protecting the records. And there was a failure on the part of the authority to make sufficient attempts to monitor data handling.

“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing,” said Ken Macdonald, ICO assistant commissioner for Scotland.

“When the council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.

“It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.

“If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law.”

The revelation follows news that Scottish councils have lost the personal data of 10,000 residents over the past five years.