A local authority has recently been handed a £250,000 fine by the Information Commissioner's Office (ICO) after confidential data relating to nearly a thousand employees was found at an overflowing recycling bin in a supermarket car park.
The Council's pensions team had engaged a contractor to digitise its pension records since 2005. Despite the fact that the contractor had undertaken scanning work for other Council departments from time to time these was no written contract in place. In September 2011 police were alerted to files containing personal data which had been left at on overfilled recycling bank. It transpired that the contractor had left ten boxes containing 848 files at two recycling banks. The files contained confidential employee data including name, address, NI number and date of birth. In nearly half these cases salary and bank details were also included.
Over the previous six years the contractor had digitised an estimated 8000 records, scanning the files to unencrypted discs and sending the discs to the council via standard post. It appears that the hard copies of each of these records had been disposed of by way of paper recycling banks.
Since April 2010, the ICO has had the power to fine organisations for breaches of the Data Protection Act where three conditions are met. Firstly, there must have been a serious breach of one or more of the data protection principles. Secondly, the breach must be likely to cause substantial damage or substantial distress. Thirdly, and most importantly for those responsible for compliance, the breach must either have been deliberate or the data controller must have known there was a risk of a breach and failed to take reasonable steps to prevent it.
Unsurprisingly, in this instance the ICO found that there had been a serious breach which, by disclosing confidential employee information was likely to cause distress, and risked exposing the employees to identity fraud. The Council had not taken reasonable steps to prevent the release of the data, and was particularly culpable because of the duration of the breach, and the fact that the data processor was free to have disposed of the documents in an even less secure manner.
This case is a cautionary reminder to organisations of the risks involved in outsourcing data processing to a third party. In all cases, but particularly those involving large volumes of data or particularly sensitive records, organisations should ensure that the following steps are taken:
- conduct a due diligence exercise prior to engaging a contractor to ensure that they offer sufficient guarantees in relation to data protection matters;
- ensure that a written contract is in place containing robust data protection requirements; and
- carry out ongoing monitoring to ensure that contractual obligations and security requirements are being met.