The UK’s Information Commissioner’s Office (ICO) has fined a council £250,000 (AU$384,000) after its document scanning contractor dumped a load of employee pension records in a shopping market’s recycling bin.
In 2011, a member of the public discovered eight boxes overflowing from a paper recycling bin that were later found to contain income, insurance, address and other personal details of over 600 former Scottish Borders Council employees.
The discovery was reported to police and the council later discovered the documents were dumped by the scanning outfit it had contracted in 2005 to digitise its pension records.
While hundreds of documents were found in that recycling bin, the ICO’s investigation found the contractor’s standard practice was to dump the original pension documents in recycling bins. The contractor also returned the scanned files to the council on unencrypted discs in standard post.
As many as 8000 pension records were handled in similar fashion during the contract’s duration, according to the ICO’s penalty notice.
The council was fined primarily for failing to require its contractor to securely handle sensitive employee documents.
“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place,” said Ken Macdonald, ICO Assistant Commissioner for Scotland.