BORDERS council bosses stand accused of frittering away public money, after the local authority was this week fined £250,000 for its role in the bungled disposal of nearly 850 confidential files which ended up dumped in a supermarket bin.
The fine issued by the Information Commissioner’s Office (ICO) for the data breach, which occurred in September last year, is only the second given to a Scottish organisation and dwarfs the previous £140,000 penalty levied against Midlothian Council at the beginning of this year for disclosing personal data.
Scottish Borders Council (SBC) had employed an outside company to digitise the records, but failed to seek appropriate guarantees on how the personal data would be kept secure and did not make sufficient attempts to monitor how the data was being handled.
A haul of 676 files belonging to SBC, with some containing bank and salary details, were found by a member of the public dumped in a recycling bank, believed to be situated in a supermarket car park in West Lothian.
It was later revealed that 172 further documents had also been uncovered in another nearby recycling bin.
SBC reported the matter to the Information Commissioner’s Office and terminated its contract with the un-named supplier involved.
The files related mainly to former employees of the council and its partner agencies who left its pension scheme between 2008 and 2011.
Ken Macdonald, assistant information commissioner for Scotland, said it was a classic case of an organisation taking its “eye off the ball” when it came to outsourcing.
“When the council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.
“It is only good fortune that these records were found by someone sensible enough to call the police.
“It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own,” said Mr Macdonald.
And Eben Wilson, director of campaign group Taxpayer Scotland, said he believed hard-pressed taxpayers will be shocked that their council will have to stump up £250,000 at a time when local services are already under extreme financial pressure.
“Scottish taxpayers can only watch aghast as their hard-earned cash is frittered away through sheer incompetence,” Mr Wilson told TheSouthern yesterday.
“The information commissioners have done taxpayers a favour in highlighting these mistakes. Perhaps they could find a way of returning the fines to local taxpayers.”
Giving her reaction to the fine, SBC chief executive Tracey Logan admitted it was “very disappointing” the council had been fined such a large sum in the current economic climate.
But, acknowledging the seriousness of last year’s breach, she then pledged that steps have now been taken to ensure data protection continues to be a priority across the council.
And she added: “This additional expenditure is obviously unhelpful at a time when public funding is already stretched.
“We do have robust financial monitoring processes in place across the council, however, and have always ensured we have the funds available to cover such unforeseen costs within our reserves.”
Quizzed on whether SBC would try to claw back some of the fine from the contractor used to dispose of the files, a spokesman told us: “The council has considered all the options available to it, but it would be inappropriate to comment further.”
However, Councillor Nicholas Watson (Leaderdale & Melrose, Borders Party) says the blunder could have seriously dented public confidence in the local authority.
“I know these papers were dumped by an outside company, but we’ve got to accept some blame for not engaging a responsible contractor – what sort of a contractor chucks sensitive files into a bin at a supermarket?” he said.
“Thank goodness they were noticed by a lady with a great sense of duty, and we are extremely grateful to her.
“I know none of the information got misused, but it’s about future confidence in SBC as well.
“I’m glad to say that as soon as SBC knew what had happened a new method of disposing of sensitive files was put in place, so I trust this won’t happen again.”
Comment – Page 9