The Information Commissioner’s Office (ICO) has been carrying out an investigation into the breach which came to light after a member of the public found 676 files in a recycling bank in a supermarket car park in September last year. A further 172 files deposited on the same day but at a different paper recycling bin are thought to have been destroyed in the recycling process.
SBC employed a third party organisation to digitise the records but the ICO said the local authority didn’t follow correct procedures.
The Data Protection Act requires that if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed.
The ICO concluded that SBC put no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled.
Commenting on the investigation, Ken Macdonald, ICO assistant commissioner for Scotland, said: “This is a classic case of an organisation taking its eye off the ball when it came to outsourcing. The council handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.
“It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.
“If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law.”
Responding to the fine, SBC’s chief executive Tracey Logan said: “It is very disappointing to receive such a high monetary penalty from the ICO especially in the current economic climate. We do acknowledge the seriousness of this breach and have already taken steps to ensure data protection continues to be a priority across the council. We are fully committed to complying with the terms set out in the ICO’s undertaking. All contracts with suppliers are now established and monitored by our specialist central procurement staff and we will continue to train, support and raise awareness among staff and contractors on the importance of data protection.”