ICO warns councils of ongoing responsibilities when hiring contractors

The Information Commissioner’s Office has warned local authorities not to abdicate their ongoing responsibilities when they hire external contractors to process personal information on their behalf.

The call was made after an ICO investigation found that Walsall Council had breached the Data Protection Act by accidentally dumping hundreds of local residents’ postal vote statements in a skip.

The statements were disposed of in March 2011 by an external contractor on the council’s behalf. The information included people’s names, addresses, dates of birth and signatures.

“Despite the council’s best efforts, 951 statements have not been recovered and are believed to have ended up in landfill or been destroyed,” the ICO said.

The watchdog’s investigation revealed that Walsall did not have a contract in place with the external organisation. The local authority had also failed to provide the contractor with instructions on keeping the information secure, as required by the DPA.

Simon Entwisle, ICO Director of Operations, said: “While councils can hire contractors to process personal information on their behalf, they must remember that they are still ultimately responsible for ensuring people’s information is kept secure. Obviously little thought was given to this when the statements were disposed of in the skip.”

Walsall has signed an undertaking that it will ensure contracts are put in place with all suppliers hired to process personal data on its behalf.

It will also ensure guarantees are agreed with contractors, and monitor compliance with its policies and procedures.