Be data protection aware

Following a 4 day hearing before the Information Tribunal, Scottish Borders Council (SBC) has successfully appealed a fine for £250,000 imposed on it by the Information Commissioner’s Office (ICO).  It is the first time a decision by the ICO to issue a monetary penalty has been successfully challenged.

This could have significant implications for the way the ICO determines and issues penalties in the future.  Although the decision has been successfully challenged, it acts as a stark reminder that companies must have robust written contractual arrangements in place when outsourcing data handling.


In September 2011, 676 files relating to employee pension records (including salary and bank account details) were found by a member of the public in a local supermarket’s car park recycling bin.  SBC had employed a third party to digitise the pension records but had failed to have a written contract in place and had not sought appropriate guarantees relating to the security of the data.

Appealing ruling

The Information Tribunal has now concluded that there were insufficient grounds to support the ICO’s fine and the money paid by SBC, in satisfaction of the fine, should be returned.  The tribunal has yet to give its full ruling outling its reasons for overturning the fine.


You may wish to take this as an opportunity to review the arrangements that you currently have in place for the processing of personal information on your behalf.  Remember, even if an organisation decides to outsource data processing, it remains responsible for the security of the personal information.