A Scottish council hired a man known as ‘GS’ to “digitise” its employees’ pension records with no written contract in place between the Scottish council and GS containing the data processing and security requirements specified by the Information Commissioner’s Office (ICO). Files containing Council employees’ names, addresses, national insurance numbers and, in some cases, individual’s salary and bank account details, had been dumped in a supermarket’s recycling bank and found by a member of the public. In its civil monetary penalty notice, the ICO said that approximately 8,000 pension records, some of which included details of ill health benefits, had been digitised by GS. GS would send to the council by standard post unencrypted discs containing the information. It said that the council was unaware that GS was disposing of the paper records in recycling banks. The ICO said in its civil monetary notice “ The Commissioner is satisfied that the contravention w
Brian Miller, solicitor, provides legal advice on data protection and privacy issues affecting businesses and consumers.