A fine issued by the UK Information Commissioner's Office (ICO) has been overturned for the first time by the Information Tribunal. In September 2011 the Scottish Borders Council (SBC) was fined £250,000 for breaching its obligations under the Data Protection Act. SBC had outsourced the digitization of its pension records without properly checking how the information would be kept and disposed of by the contractor. More than 700 employee records containing personal data including names, addresses, national insurance numbers, salary and bank details were discovered by a member of the public in a recycling bin in a supermarket car park (where they had been put by the contractor). The fine imposed by the Information Commissioner on SBC was, at the time, the second largest fine ever imposed by the ICO in the UK. SBC successfully appealed the decision with the Tribunal finding that the ICO had insufficient grounds to justify the fine. The full reasoning of the decision is expected to be published shortly, however, the Tribunal has indicated that although it considered the breaches in question to be serious, the fact that the level of damage to the individuals affected was low meant that the penalty imposed could not be justified. Although the Tribunal maintains that this case was decided on its facts, it may set a precedent for imposing a lower fine or alternative penalties (such as undertakings) where the damage caused to individuals is negligible.
TIP: When outsourcing activities that involve the processing of personal data, think about whether the contractor is aware of and capable of fulfilling its obligations under privacy laws.