Scottish Borders Council has been fined £250,000 by the Information Commissioner's Office (ICO) after former employee details were found in a paper recycle bank.
The records included former employees' pension details and salary and bank account data. A third party was contracted to digitise the records but failed to seek appropriate guarantees on how the personal data would be kept secure.
The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day, but at a different paper recycling bank, are thought to have been destroyed in the recycling process.
Ken Macdonald, ICO assistant commissioner for Scotland and Northern Ireland, said: “This is a classic case of an organisation taking its eye off the ball when it came to outsourcing. When the council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.
“It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.
“If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law.”
The ICO pointed out that the Data Protection Act states that if you choose to use a third party to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed. Scottish Borders Council had no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled.
Speaking recently to SC Magazine, Jonathan Armstrong, lawyer at Duane Morris LLP said that the impact of monetary fines from the ICO should be passed on to those directly responsible for the breaches and that they "should suffer the consequences as well".
Paul Ayers, VP EMEA of Vormetric, said: “This breach perfectly demonstrates an increasingly common enterprise challenge, as organisations are communicating with and exchanging data with an increasing number of supply chain partners and customers – it is now routine for firms to outsource the processing of sensitive financial services and core IT requirements.
“However, this way of working is leading to an increased risk of both data loss and the breach of compliance regulations. In this case, the Scottish Border Council had not performed sufficient checks on how securely the information would be kept nor how it would be managed by the third party – it was therefore they who were subject to the sizeable monetary fine.”