On 11 September 2012, the UK Information Commissioner’s Office (ICO) announced that it had fined the Scottish Borders Council £250,000 under the Data Protection Act 1998 (the DPA) following the discovery of a former Council employee’s pension records in a supermarket’s car park paper recycling bank. The document was one of at least 676 files containing confidential personal data that were deposited in this way.  The documents were only brought to light when a member of the public alerted the police.

According to the Penalty Notice issued by the ICO, the data protection failure was originally caused when the Council entered an outsourcing arrangement for the digitisation of its former employees’ and former members’ pension records with a third party company without also agreeing a data processing contract with that company to guarantee the technical and organisational security of the data.  Under the DPA, a data controller remains responsible for the security of personal data even when data are transferred to a third party processor.

In a statement, Ken Macdonald, ICO Assistant Commissioner for Scotland, said: “If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law.”

This is the twelfth — and highest — monetary penalty handed out by the ICO to a British local government council since the beginning of 2012.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.