Backup and Storage

ICO hits Scottish Borders Council with £250,000 fine

The ICO has issued a fine after pension records regarding former council employees were found in a recycling bank

As the Information Commissioner’s Office (ICO) steps up its attempts to ensure both public and private organisations comply with the Data Protection Act, the Scottish Borders Council has been hit with a Civil Monetary Penalty of £250,000 for mishandling the pension records of former employees.

The fine was imposed after it emerged that more than 600 files were discovered in a paper recycling bank in a supermarket car park, and a member of the public quickly alerted police after realising the nature of the documents.

According to the report, the Scottish Borders Council had employed the services of an outside company to digitise the records, but did not take the appropriate steps to ensure that the security of the data would be managed effectively.

As such, the Council has been held responsible for the breach due to the terms laid out by the Data Protection Act, which states that the owners of the information are still required to protect the privacy rights of the individuals who the files concern, even when outsourcing their storage strategies.

"This is a classic case of an organisation taking its eye off the ball when it came to outsourcing," said Ken Macdonald, ICO assistant commissioner for Scotland.

"When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept.

"If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data."

While electronic document storage is an efficient means for companies to reduce their reliance on physical records, they still have to ensure that any confidential information is not compromised by their switching to a digital format.

Indeed, as this incident demonstrates, the financial and reputational consequences can be particularly damaging.