ICO to pay back £250,000 fine after Scottish Borders Council wins appeal

Failed to demonstrate harm caused

The ICO has suffered a highly unusual and embarrassing reverse after a £250,000 ($375,000) fine it imposed on Scottish Borders Council (SBC) for carelessly disposing of paper records was ruled excessive by the Information Rights Tribunal.

Appeals against fines by the Inormation Commissioner are the exception and decisions against fines, especially ones as large as that levied on the Council last September, unheard of.

The original breach occurred in September 2011 when a member of the public discovered what turned out to be files containing personal data of 676 SBC employees in a supermarket paper recycling bank.

It later emerged that along with another 172 files, the records had been discarded by a third-party firm hired to digitise the Council's records. The firm had used public recycling banks as part of this contract for up to seven years before the discovery.

Two two issues that probably upped the fine to the £250,000 level could have included this unusually long period of time and the fact that the breach was only discovered by chance, both of which suggested a lack of system and oversight.

Neither seems to have impressed the Tribunal, which has now overturned the ruling and asked the ICO to pay back the £200,000 of the fine already handed over by the Council, the remaining £50,000 having been waived for early payment.

"I am extremely pleased with the outcome and have always strongly believed that the monetary penalty notice issued by the ICO in this case was unjust and disproportionate," Council executive Tracey Logan said.

"Of course, I acknowledge that there were gaps in our processes in this case - but we have taken significant steps to address these since the breach to ensure data protection continues to be a high priority across the Council," she said.

In comments to the BBC, the ICO accepted that the Tribunal had not been convinced that the breach had led to actual harm to the individuals concerned.

"We are disappointed with the result and await the full ruling from the tribunal confirming the reasons for its decision, before deciding whether to appeal," a spokesperson was quoted as saying.

"We do not take the decision to issue a monetary penalty lightly and follow a thorough process before serving an organisation with a penalty notice.

"The tribunal agreed with us that the breach, which led to over 600 pension records being found in an overfilled paper recycling bank in a supermarket car park, was a serious one, but we were unable to satisfy them that it was likely to lead to substantial damage or substantial distress being caused to the individuals affected."

The ICO can console itself that a separate appeal by Sony over a £250,000 fine for the infamous and vast hack of its systems in 2011 was rejected in the Information Commissioner's favour only days before the Scottish Borders Council ruling.

Given the scale of that breach, the appeal always seemed like a long shot by Sony. Most of the ICO's notable rulings are against public sector organisations; to have lost one against one in the private-sector would have counted as a major setback.

Join the CSO newsletter!

Error: Please check your email address.

Tags icobordersPersonal Techsecurity

More about BBC Worldwide AustralasiaBordersICOSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts