16 September 2012

Blowin in the wind

The UK Information Commissioner has announced imposition of a £250,000 Civil Monetary Penalty on Scottish Borders Council under the Data Protection Act. Pension records of the Council's former employees were found "in an over-filled paper recycle bank in a supermarket car park".

The Council had employed an outside company to digitise the records but "failed to seek appropriate guarantees on how the personal data would be kept secure". The Information Commissioner commented that
The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed.
But Scottish Borders Council put no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled.
It is believed more than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details. The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process. 
The ICO Assistant Commissioner for Scotland stated
This is a classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.
It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.