Council faces hefty fine after data breach

SCOTTISH Borders Council is set to become only the second organisation in Scotland to be financially punished by the Information Commissioner’s Office after nearly 850 pension scheme files were found dumped in recycling bins, writes Kenny Paterson.

The ICO confirmed it has served a Notice of Intent following the data breach last year, which means a substantial monetary penalty is likely.

While an ICO spokesman would only say that enquiries are ongoing, its website advises that it can hand out penalties of up to £500,000.

Along with a fine, the public body, which reports to the UK Parliament, has promised to visit SBC HQ at Newtown St Boswells to carry out an audit within the next 12 months.

In an internal email to councillors, staff and union leaders, SBC chief executive Tracey Logan said measures will be taken to ensure employees look after confidential information in line with the Data Protection Act 1998.

Ms Logan said: “All appropriate steps were taken by officers on the discovery of this incident.

“We have co-operated fully with the ICO and have also reviewed our arrangements to ensure that any necessary improvement action is taken and data protection continues to be a priority across SBC.

“A full investigation was carried out by internal audit and a report with a number of recommendations was produced which was made available to the ICO.

“I would like to reassure individuals who may have been affected that, based on the in-depth investigation carried out by our officers, we are confident that no personal information was accessed and the breach was contained upon its discovery.

“Based on the assessment of risk and due to the time that has elapsed since the breach was discovered, we have taken the decision not to write to all individuals.

“We do, however, fully understand that individuals may have concerns about this and anyone who does have any queries can contact the council on 01835 825052 or email”

A total of 676 files were discovered by a member of the public from a recycling bank, believed to be situated in West Lothian, in September 2011.

He reported the find to the police, with SBC staff recovering the files, cross-checking them against records and securely destroying them.

It was later revealed another 172 documents had been uncovered in another nearby recycling bin.

On this occasion, SBC say the papers were mechanically processed, assuring SBC officers that there was no risk of the files being accessed after the bin was emptied.

SBC reported the matter to the ICO and says the contract with the supplier involved in breach was terminated immediately.

The council said it had been digitising pension records in the same manner since 2005. The files related mainly to former employees of the council and its partner agencies who left its pension scheme between 2008 and 2011.

They contained information on people who were a member of the policy but had either no pension payment, had opted out, received a refund of contributions or transferred to an new pension provider.

In January this year, the ICO fined Midlothian Council £140,000 for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five occasions.

It was the first time an ICO monetary penalty notice had been served against a Scottish organisation.