Scottish council fined £250,000 over pension files dumped in bin

More than 600 files containing employee bank details were left in a recycling bin by a company hired by Scottish Borders Council to digitise the information.
Written by Jon Yeomans, Contributor

Scottish Borders Council has been fined £250,000 by the UK data-protection watchdog, over a data breach that resulted in former employees' pension records being dumped in a recycling bin.

The Information Commissioner's Office (ICO) censured the council after more than 600 files, some of them containing salary and bank account details, were found in an over-filled recycle bin in a supermarket car park. The files had been dumped there by a third party the council had hired to digitise the records. The dumped documents were reported to police by a member of the public.

"This is a classic case of an organisation taking its eye off the ball when it came to outsourcing," Ken Macdonald, ICO assistant commissioner for Scotland, said in a statement on Tuesday. "When the council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place."

Under the Data Protection Act, companies remain legally responsible for personal data even when a third party has been approached to process it.

"This information could have exposed people to identity fraud and possible financial loss through no fault of their own," Macdonald added.

"It is very disappointing to receive such a high monetary penalty from the ICO, especially in the current economic climate," Tracey Logan, chief executive of Scottish Borders Council, said in a statement. "We do acknowledge the seriousness of this breach and have already taken steps to ensure data protection continues to be a priority across the council.

"We are fully committed to complying with the terms set out in the ICO's undertaking."

ICO powers

In 2010, the ICO was given the power to levy fines of up to £500,000 on organisations that breach the Data Protection Act.

In answer to a Freedom of Information request made by ZDNet, the ICO revealed in August that it had imposed a total of 23 monetary penalties. Of these, only two have not been paid: these are fines levied on the Central London Community Health Care NHS Trust and on Andrew Crossley of ACS: Law.

The Central London Community Health Care NHS Trust has appealed its £90,000 fine for sending faxes containing sensitive patient information to the wrong recipient.

ACS:Law made headlines for sending letters to thousands of people requesting payments of £495 in exchange for not taking them to court over alleged unlawful file-sharing. It was fined £1,000 in May 2011 for failing to keep secure the personal data of 6,000 people, which was exposed during a cyberattack on the company's systems by activist group Anonymous.

"The security measures ACS:Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details," information commissioner Christopher Graham said at the time. Crossley has since been declared bankrupt.

Editorial standards