ICO fines council £250,000 for records dumped in bin by outsourcer

Scottish Borders Council hired a company to digitise records, but copies were found in a recycle bank in a supermarket car park

The Information Commissioner has fined Scottish Border Council £250,000 under the Data Protection Act for not putting in appropriate guarantees when it outsourced responsibility to an external company to digitise employees' pension records.

Some 676 records were deposited by the unnamed company into a recycle bin in a supermarket car park, which contained information on employee salary and bank accounts. The files were spotted by a member of the public, who called the police.

A further 172 files deposited on the same day, but at a different paper recycling bank, are thought to have been destroyed in the recycling process.

The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed.

"This is a classic case of an organisation taking its eye off the ball when it came to outsourcing," ," said Ken Macdonald, ICO Assistant Commissioner for Scotland.

"When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place."

He added: "If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law."

The ICO last month also issued a swingeing £175,000 fine on a health trust that published a spreadsheet containing sensitive information on 1,400 employees on its website.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Deep Security - Enterprise Virtualization Security

Advanced protection for physical, virtual and cloud servers

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »