ICO fines council £250,000 for records dumped in bin by outsourcer

ICO fines council £250,000 for records dumped in bin by outsourcer

Scottish Borders Council hired a company to digitise records, but copies were found in a recycle bank in a supermarket car park

Article comments

The Information Commissioner has fined Scottish Border Council £250,000 under the Data Protection Act for not putting in appropriate guarantees when it outsourced responsibility to an external company to digitise employees’ pension records.

Some 676 records were deposited by the unnamed company into a recycle bin in a supermarket car park, which contained information on employee salary and bank accounts. The files were spotted by a member of the public, who called the police.

A further 172 files deposited on the same day, but at a different paper recycling bank, are thought to have been destroyed in the recycling process.

The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed.

"This is a classic case of an organisation taking its eye off the ball when it came to outsourcing,” ,” said Ken Macdonald, ICO Assistant Commissioner for Scotland.

“When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place."

He added: "If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law."

The ICO last month also issued a swingeing £175,000 fine on a health trust that published a spreadsheet containing sensitive information on 1,400 employees on its website.

Share:

Comments

Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *