On 11 September 2012, the UK Information Commissioner’s Office (ICO) announced that it had fined the Scottish Borders Council £250,000 under the Data Protection Act 1998 (the DPA) following the discovery of a former Council employee’s pension records in a supermarket’s car park paper recycling bank. The document was one of at least 676 files containing confidential personal data that were deposited in this way.  The documents were only brought to light when a member of the public alerted the police.

According to the Penalty Notice issued by the ICO, the data protection failure was originally caused when the Council entered an outsourcing arrangement for the digitisation of its former employees’ and former members’ pension records with a third party company without also agreeing a data processing contract with that company to guarantee the technical and organisational security of the data.  Under the DPA, a data controller remains responsible for the security of personal data even when data are transferred to a third party processor.

In a statement, Ken Macdonald, ICO Assistant Commissioner for Scotland, said: “If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law.”

This is the twelfth — and highest — monetary penalty handed out by the ICO to a British local government council since the beginning of 2012.