Data breach fine ‘very harsh’, says council leader, as SBC to pursue ‘other remedies’

COUNCILLORS were this week informed that there was no chance of pursuing the firm involved in the bungled disposal of sensitive personnel documents, which led to the local authority being fined £250,000 last week.

Nearly 850 confidential files ended up dumped in a supermarket bin, believed to be in West Lothian, by a firm hired by Scottish Borders Council.

Last week’s fine issued by the Information Commissioner’s Office (ICO) for the data breach, which occurred in September last year, was only the second given to a Scottish organisation.

The council was adjudged to have failed to seek appropriate guarantees on how the personal data would be kept secure and did not make sufficient attempts to monitor how the data was being handled.

The files, some containing bank and salary details, were found by a member of the public.

On discovering the breach, SBC reported the matter to the ICO and terminated the contract. But Ken Macdonald, assistant information commissioner for Scotland, described it as a classic case of an organisation taking its “eye off the ball” when it came to outsourcing.

And he added that, in other circumstances, the information could have exposed people to identity fraud and possible financial loss through no fault of their own.

The fine was described by SBC chief executive Tracey Logan as “very disappointing”, but Taxpayer Scotland director Eben Wilson said local taxpayers would more likely be outraged by what he called the “frittering away” of public money.

At this week’s meeting of the council executive, the issue of the fine was raised by Councillor Stuart Bell (Tweeddale East, SNP), during a debate on revenue budget monitoring.

Mr Bell said he was concerned about some of the media reporting of the fine.

“I just think it’s an unreasonable sum of money considering the council put its hand up as soon as this breach was discovered,” he added.

And he asked whether there was any intention to pursue the firm involved with a view to recouping some of the money or to challenge the fine in any way.

Council leader David Parker (Leaderdale & Melrose, Ind), said he was also extremely frustrated by the level of the fine.

“We did the right thing reporting it and fully co-operating with the data commissioner,” he said.

“There is an issue over whether the size of the fine is reasonable and I am of the opinion it is not. We are examining, with colleagues in the legal service, to see if there are any grounds to challenge it.

“I think the size is disproportionate – there was no identity theft involved. It was a very harsh judgment.”

Councillor David Paterson (Hawick & Hermitage, Ind) agreed the size of the penalty was disproportionate.

“We employed this firm and the job was not done correctly – I really think something should be done to try to get money back from them.”

But he was told by Mr Parker this would not be possible.

“We looked into that, but the company involved is no longer trading.”

And he added: “There will be a reduction of the level to £200,000 if we pay the fine promptly, so we will be paying it promptly, but we will be pursuing other remedies as well.”

Asked by Councillor Jim Brown (Jedburgh, SNP) about where the fine cash would end up, chief financial officer David Robertson replied that it would ultimately end up in the coffers of HM Treasury.