ICO imposes fine £250,000 and warns about shoddy outsourcing deals

Scottish Borders Council has been fined £250,000 for losing former employees’ pension records. Some 600 files containing personal information - in some cases salary and bank account details - were found in a supermarket paper recycling bank.

The ICO says that organisations need to be vigilant when outsourcing data processing functions. In this case, Scottish Borders Council had used a third party to digitise records, but had no contract in place that would have stipulated data security measures. The ICO also says the Council did not make sufficient attempts to monitor how the data was being handled.

Ken Macdonald, ICO Assistant Commissioner for Scotland, said:
"This is a classic case of an organisation taking its eye off the ball when it came to outsourcing… It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.”

The fine is the second largest the ICO has issued so far. In June 2012, it served a monetary penalty notice for £325,000 on Brighton and Sussex University Hospitals NHS Trust. The highest possible fine is £500,000. All fines are paid into HM Treasury's Consolidated Fund.

The monetary penalty notice for Scottish Borders Council, announced on 11 September, will be added in due course to the ICO’s website.

Privacy Laws & Business will run a free breakfast seminar in London on 4 October on Privacy by Design; designing your operations, your products and services with privacy in mind from the start. Speakers include Jonathan Bamford, Head of Strategic Liaison at the Information Commissioner's Office; and Dr Ann Cavoukian, Ontario Information and Privacy Commissioner, Canada.