ICO Dishes Out £250,000 Fine After Outsourcing Nightmare

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Scottish council says it may appeal a massive fine for an outsourcer’s recycling gaffe

A Scottish council has been handed a hefty fine after an outsourcing project went catastrophically wrong and rafts of data were lost, although it is considering an appeal.

Scottish Borders Council, which has been told to pay out £250,000, employed an outside company (which has not been named) to digitise former employees’ pension records. But paper versions of those records, amounting to 600 files, were found in an overloaded paper recycle bank in a supermarket car park.

Many records contained salary and bank account details. A member of the public alerted the police and the files were recovered. Another 172 files were thought to have been destroyed at a recycling centre, according to the Information Commissioner’s Office (ICO).

Outrageous outsourcers

Even though the council was not responsible for dumping the papers, the Data Protection Act makes firms who employ outsourcers responsible for keeping data safe. As Scottish Borders Council did not get assurances from the outsourcer, largely because it didn’t even bother to draw up a contract, it received one of the largest fines the ICO has ever handed out.

“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing,” said Ken Macdonald, ICO assistant commissioner for Scotland.

“When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.

“It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.”

Yet a council spokesperson told TechWeekEurope it was not certain the body would pay the fine. It is currently in discussions with the data protection watchdog and may even appeal, if it believes there are grounds to argue the penalty is too high.

In an emailed statement, Tracey Logan, chief executive of the Scottish Borders Council, said: “It is very disappointing to receive such a high monetary penalty from the ICO especially in the current economic climate.

“We do acknowledge the seriousness of this breach and have already taken steps to ensure data protection continues to be a priority across the council. We are fully committed to the complying with the terms set out in the ICO’s undertaking.

“This additional expenditure is obviously unhelpful at a time when public funding is already stretched. We do have robust financial monitoring processes in place across the council however and have always ensured we have the funds available to cover such unforeseen costs within our reserves.”

If it does appeal, it will not be the first organisation to have a formal dispute with the ICO. In June, the Brighton and Sussex University Hospitals NHS Trust confirmed it was to appeal a £325,000 penalty, claiming its representations to the ICO had been ignored.

In a similar case to the Scottish Border Council, it was an outsourcer who was to blame for data actually going missing.  The Trust had employed an “experienced NHS IT service provider” – Sussex Health Informatics Service (HIS) – to dispose of a number of redundant hard drives, some of which were placed on eBay even though they had a significant amount of personal data on them.

Are you  a security expert? Find out with our quiz!