Categories: Workspace

ICO Dishes Out £250,000 Fine After Outsourcing Nightmare

A Scottish council has been handed a hefty fine after an outsourcing project went catastrophically wrong and rafts of data were lost, although it is considering an appeal.

Scottish Borders Council, which has been told to pay out £250,000, employed an outside company (which has not been named) to digitise former employees’ pension records. But paper versions of those records, amounting to 600 files, were found in an overloaded paper recycle bank in a supermarket car park.

Many records contained salary and bank account details. A member of the public alerted the police and the files were recovered. Another 172 files were thought to have been destroyed at a recycling centre, according to the Information Commissioner’s Office (ICO).

Outrageous outsourcers

Even though the council was not responsible for dumping the papers, the Data Protection Act makes firms who employ outsourcers responsible for keeping data safe. As Scottish Borders Council did not get assurances from the outsourcer, largely because it didn’t even bother to draw up a contract, it received one of the largest fines the ICO has ever handed out.

“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing,” said Ken Macdonald, ICO assistant commissioner for Scotland.

“When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.

“It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.”

Yet a council spokesperson told TechWeekEurope it was not certain the body would pay the fine. It is currently in discussions with the data protection watchdog and may even appeal, if it believes there are grounds to argue the penalty is too high.

In an emailed statement, Tracey Logan, chief executive of the Scottish Borders Council, said: “It is very disappointing to receive such a high monetary penalty from the ICO especially in the current economic climate.

“We do acknowledge the seriousness of this breach and have already taken steps to ensure data protection continues to be a priority across the council. We are fully committed to the complying with the terms set out in the ICO’s undertaking.

“This additional expenditure is obviously unhelpful at a time when public funding is already stretched. We do have robust financial monitoring processes in place across the council however and have always ensured we have the funds available to cover such unforeseen costs within our reserves.”

If it does appeal, it will not be the first organisation to have a formal dispute with the ICO. In June, the Brighton and Sussex University Hospitals NHS Trust confirmed it was to appeal a £325,000 penalty, claiming its representations to the ICO had been ignored.

In a similar case to the Scottish Border Council, it was an outsourcer who was to blame for data actually going missing.  The Trust had employed an “experienced NHS IT service provider” – Sussex Health Informatics Service (HIS) – to dispose of a number of redundant hard drives, some of which were placed on eBay even though they had a significant amount of personal data on them.

Are you a security expert? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • How can you fairly fine a council - its the innocent tax/rate payers that are going to pick up the bill. The fine should be on the people responsible - Chief executive and the team.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

3 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

4 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

4 days ago