Council fined $384k for negligent outsourcing

Digitisation project ends in dumpster privacy disaster.

The UK’s Information Commissioner’s Office (ICO) has fined a council £250,000 (AU$384,000) after its document scanning contractor dumped a load of employee pension records in a shopping market’s recycling bin.

In 2011, a member of the public discovered eight boxes overflowing from a paper recycling bin that were later found to contain income, insurance, address and other personal details of over 600 former Scottish Borders Council employees.

The discovery was reported to police and the council later discovered the documents were dumped by the scanning outfit it had contracted in 2005 to digitise its pension records.

While hundreds of documents were found in that recycling bin, the ICO’s investigation found the contractor’s standard practice was to dump the original pension documents in recycling bins. The contractor also returned the scanned files to the council on unencrypted discs in standard post.

As many as 8000 pension records were handled in similar fashion during the contract’s duration, according to the ICO’s penalty notice.

The council was fined primarily for failing to require its contractor to securely handle sensitive employee documents.

“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place,” said Ken Macdonald, ICO Assistant Commissioner for Scotland.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts