Records Dumping Triggers Hefty Fine
£250,000 Penalty for Scottish Borders CouncilThe UK Information Commissioner's Office has fined the Scottish Borders Council £250,000 after hundreds of former employees' pension records were found in a recycling bin in a supermarket parking lot.
See Also: OnDemand | Realities of Choosing a Response Provider
The council is a local government entity that oversees the Scottish Borders area of Scotland.
The council hired a vendor to digitize its records but failed to seek guarantees on how the personal information would be kept secure, according to an ICO release.
An individual notified police that the files, which contained salary and bank account details, were in the recycling bin; authorities then recovered 676 files. Another 172 files were placed in a different recycling bin that same day and are believed to have been destroyed in the recycling process, the ICO says.
"The [council] put no contract in place with the third-party processor, sought no guarantees on the technical and organizational security protecting the records and did not make sufficient attempts to monitor how the data was handled," according to the release.
The penalty was issued under the Data Protection Act, which requires that an organization is still legally responsible for the security of its information, even if it hires a third-party organization to process it.
The ICO has offered guidance to small and medium-sized businesses on outsourcing.