A Scottish council hired a man known as ‘GS’ to “digitise” its employees’ pension records with no written contract in place between the Scottish council and GS containing the data processing and security requirements specified by the Information Commissioner’s Office (ICO).
Files containing Council employees’ names, addresses, national insurance numbers and, in some cases, individual’s salary and bank account details, had been dumped in a supermarket’s recycling bank and found by a member of the public.
In its civil monetary penalty notice, the ICO said that approximately 8,000 pension records, some of which included details of ill health benefits, had been digitised by GS. GS would send to the council by standard post unencrypted discs containing the information. It said that the council was unaware that GS was disposing of the paper records in recycling banks.
The ICO said in its civil monetary notice “The Commissioner is satisfied that the contravention was of a kind likely to cause substantial damage or substantial distress to data subjects whose confidential personal data (including financial information) was seen by a member of the public who had no right to see that information.”
The Data Protection Act (“DPA”) sets out a number of requirements that data controllers must adhere to, including selecting processors that can provide sufficient guarantees that they can properly meet the technical and organisational measures requirement and take reasonable steps to ensure compliance, and having in place a written contract with data processors, specifying that the processor may only undertake processing activities that the controller tasks them with and that the processors meet the technical and organisational measures requirement of the DPA.
Under the DPA, the data controller is responsible for personal data security standards being met by the processors. When outsourcing, data controllers should therefore take the appropriate measures to ensure compliance, including choosing reputable data processors and having a written contract in place which deals with the necessary data protection requirements.
If you are in any doubt about the detailed terms of a data processing agreement, we can help.
© Brian Miller, solicitor, 2012.
Brian can be contacted at Stone King, Solicitors. For further news and information on legal topics of interest, please visit Brian's other blogs:
Brian Miller Solicitor's IT Law Blog