Outsourcing flaws see council hit with record ICO fine for local government
A Scottish council’s failure to put in place appropriate controls when outsourcing the destruction of confidential information has seen it receive a record fine for local government for a breach of data protection rules.
Scottish Borders Council was hit with a £250,000 monetary penalty by the Information Commissioner’s Office after former employees’ pension records were discovered in an over-filled paper recycle bank.
However, a spokesman for the local authority indicated that it plans to appeal the ICO’s decision.
According to the ICO, the council had used an outside contractor to digitise the records, but failed to seek appropriate guarantees on how the personal data would be kept secure.
Scottish Borders “put no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled”.
Some 676 files were recovered from the recycle bins after a member of the public spotted them and called the police.
The files contained confidential information and, “in a significant number of cases”, salary and bank account details.
A further 172 files were deposited on the same day but were thought to have been destroyed during the recycling process.
The previous record monetary penalty for local government (£140,000) was levied on Midlothian Council after a series of data protection breaches in its children’s services department.
The record fine so far is the £325,000 penalty levied on Brighton and Sussex University Hospitals Trust after more than 200 hard drives were found to have been sold on an internet auction site.
Like the Scottish Borders case, the ICO’s fine was in part a response to flaws in the trust’s arrangements for contracting out the destruction of sensitive information.
BSUH originally announced its intention to appeal, but in the end paid up just before the deadline for an early payment discount.
That decision left Central London Community Healthcare NHS Trust's appeal against a £90,000 fine as the only ongoing legal challenge to a monetary penalty issued by the ICO under s. 55A of the Data Protection Act 1998.
Ken Macdonald, ICO Assistant Commissioner for Scotland, said: "This is a classic case of an organisation taking its eye off the ball when it came to outsourcing. When the council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.
"It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.”
Macdonald added: "If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law."
Tracey Logan, Chief Executive of Scottish Borders, said: "It is very disappointing to receive such a high monetary penalty from the ICO, especially in the current economic climate.
“We do acknowledge the seriousness of this breach and have already taken steps to ensure data protection continues to be a priority across the council. We are fully committed to the complying with the terms set out in the ICO's undertaking.”
Logan said all contracts with suppliers were now established and monitored by the council’s specialist central procurement staff.
She added: “We will continue to train, support and raise awareness among staff and contractors on the importance of data protection. This additional expenditure is obviously unhelpful at a time when public funding is already stretched.
"We do have robust financial monitoring processes in place across the council however and have always ensured we have the funds available to cover such unforeseen costs within our reserves."