In the UK Scottish council fined £250k following recycle bin data breach

September 14, 2012 |

The Information Commissioner’s Office (ICO) has found that the Scottish Borders Council had been guilty of a serious breach of the Data Protection Act.

The Council arranged for a man, known only as ‘GS’, to “digitise” its employees’ paper pension records. However, in September last year a member of the public discovered that 676 files had been dumped in a supermarket’s “overfilled” paper recycling bank. GS had dumped a further 172 files in another paper recycling bank on the same day.

Among the information contained in 676 files were the Council employees’ names, addresses, national insurance number and, in just fewer than half the cases, individuals’ salary and bank account details.

“[Scottish Borders Council] failed to choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures,” the ICO found

When outsourcing personal data processing to others, data controllers are required to select processors that can provide “sufficient guarantees” that they can properly meet the “technical and organisational measures” requirement and that they will “take reasonable steps” to “ensure compliance”.

The data controllers must establish a written contract with data processors specifying that the processor may only undertake processing activities that the controller tasks them with, whilst the contract must also hold the processors to meeting the “technical and organisational measures” requirement of the DPA. The data controller is also responsible for those personal data security standards being met by the processors to which they outsource.

Further rules apply to outsourcing of personal data processing where processing takes place outside the European Economic Area.

The ICO said that the Council should have regularly monitored GS to ensure GS was complying with the DPA and should have had a written contract in place with him.

Leave a Reply