We are all familiar with the ongoing saga of data breach, notifications to the Information Commissioner’s Office and the risk fines and bad publicity. The latest example is Scottish Borders Council who were fined £250,000 by the ICO on 10 September 2012. While many of the recent breaches involve complex hacking and clever technology, this one was much more basic.
Scottish Borders Council hired a processor to digitise its pensions records. So it involved transferring hard copy records to the processor who would then input the data to an IT system. On 10 September 2012, a member of the public noticed a paper recycling bank that had been overfilled with discarded files! On closer inspection, it became clear that some of the files contained personal data. There were in fact 8 boxes containing 676 files that had been deposited in the paper recycling bank by the processor. Not only that, the files contained confidential personal data including name, address, national insurance number and data of birth. Some files also contained salary and bank account detail.
Following the investigation, it transpired that the controller had failed to choose a processor providing “sufficient guarantees” in relation to security and had failed to take reasonable steps to ensure compliance with those measures. Interestingly, the ICO took the view that the controller should have put in place regular monitoring to ensure compliance. In addition, there was no contract between the controller and processor as required by the Data Protection Act.
In this case, Scottish Borders voluntarily reported themselves to the ICO and given the nature of the data and the volume of files compromised, they were certainly within the thresholds for notification under the ICO Guidance. In any event, the ICO concluded that this was a contravention likely to cause substantial damage or substantial distress, citing ID theft and the distress to individuals generated by the risk of ID theft. In the circumstances, the ICO took the view that this kind of data deserved the highest level of security and so a fine of £250,000 was appropriate.
While this case clearly illustrates the perils of ignoring data protection, it also highlights the particular dangers of failing to have systems and processes in place to ensure that all processors and vendors who have access to an organisation’s records are properly managed. It is also a reminder of the lack of awareness amongst some processors and vendors as to how personal information records should be protected. Controllers and processors beware!