Council facing hefty fine for security breach

SCOTTISH Borders Council is in line for a hefty financial penalty as punishment for a serious security breach which saw two lots of pension documents dumped in recycling bins.

The Information Commissioner’s Office (ICO) has been carrying out an investigation of a security breach which was self-reported by the local authority in September after 676 files were found by a member of the public.

It also came to light that a further 172 files had been placed in a second recycling bank. Following a lengthy enquiry into the breach, the ICO has served a notice of intent to issue the council with a substantial fine. The amount will be revealed on or after next Friday, August 31.

The ICO has also issued an undertaking to be signed by SBC’s chief executive, Tracey Logan, which sets out a number of key obligations that the council has under the Data Protection Act and commits the council to an audit being carried out by the ICO in the next 12 months.

The files found last autumn all related to SBC’s Local Government Pension Scheme and had been deposited in a recycling bank by an external supplier, who had their contract terminated immediately after the discovery.

Council representatives recovered all the files deposited in the recycling bank, cross-checked them against records and then securely destroyed them.

The contents of the second recycling bank were mechanically processed before this was known, however council officers visited the recycling depot to see the process in place for emptying the bank.

It was evident that all the paper is processed mechanically with no human contact involved. Officers were therefore satisfied that there was no risk of the files being accessed after the bank had been emptied.

The records involved mainly related to former employees of the council and the council’s partner agencies who left the pension scheme between 2008 and 2011.

In a statement, Tracey Logan explained: “All appropriate steps were taken by officers on the discovery of this incident.

“We have co-operated fully with the ICO and have also reviewed our arrangements to ensure that any necessary improvement action is taken and data protection continues to be a priority across SBC.

“A full investigation was carried out by Internal Audit and a report with a number of recommendations was produced which was made available to the ICO.

“I would like to reassure individuals who may have been affected that, based on the in-depth investigation carried out by our officers, we are confident that no personal information was accessed and the breach was contained upon its discovery.

“Based on the assessment of risk and due to the time that has elapsed since the breach was 
discovered, we have taken the decision not to write to all individuals.

“We do, however, fully understand that individuals may have concerns about this and anyone who does have any queries can contact the council on 01835 825052 or email”

Representations are currently being made to the ICO on both the notice of intent and the undertaking. The representations provide SBC with an opportunity submit comments and clarify inaccuracies in the ICO’s report. The ICO will publish details in due course.