A report has revealed that Scottish Borders Council did not have a secure means of disposing of personal files for three years before its data breach.
Information Tribunal judge Nicholas Warren wrote that the company responsible for dumping council employee pension records in a Tesco recycle bin in South Queensferry in 2011 had stopped using a paper waste company to destroy the files in 2008.
Judge Warren also criticised the council for “systemic” contravention of the Data Protection Act in terms of processing pension records in July and August 2011.
He wrote: “The reality was that Scottish Borders (Council) had no system for ensuring that the Act was observed in data processing contracts of less than £5,000. Nor was there any obvious system for those contracts of less than £20,000.”
At the tribunal in June, SBC successfully appealed the £250,000 fine handed out by the Information Commissioner’s Office for the data breach, but a spokesman for the authority acknowledged this week there were gaps in its process. He said: “As instructed by the Information Tribunal, the council is currently in discussion with the ICO to confirm that the steps we have taken since the breach, and continue to take, have addressed the concerns raised by the tribunal.
“Data protection continues to be a high priority across the council. This is highlighted by the council initiating an information management project.”