Skip to main content

ICO imposes fine of £250,000 for data protection breach by Scottish council



A Scottish council hired a man known as ‘GS’ to “digitise” its employees’ pension records with no written contract in place between the Scottish council and GS containing the data processing and security requirements specified by the Information Commissioner’s Office (ICO).  

Files containing Council employees’ names, addresses, national insurance numbers and, in some cases, individual’s salary and bank account details, had been dumped in a supermarket’s recycling bank and found by a member of the public.  

In its civil monetary penalty notice, the ICO said that approximately 8,000 pension records, some of which included details of ill health benefits, had been digitised by GS.  GS would send to the council by standard post unencrypted discs containing the information.  It said that the council was unaware that GS was disposing of the paper records in recycling banks.  

The ICO said in its civil monetary notice “The Commissioner is satisfied that the contravention was of a kind likely to cause substantial damage or substantial distress to data subjects whose confidential personal data (including financial information) was seen by a member of the public who had no right to see that information.”

The Data Protection Act (“DPA”) sets out a number of requirements that data controllers must adhere to, including selecting processors that can provide sufficient guarantees that they can properly meet the technical and organisational measures requirement and take reasonable steps to ensure compliance, and having in place a written contract with data processors, specifying that the processor may only undertake processing activities that the controller tasks them with and that the processors meet the technical and organisational measures requirement of the DPA.  

Under the DPA, the data controller is responsible for personal data security standards being met by the processors.  When outsourcing, data controllers should therefore  take the appropriate measures to ensure compliance, including choosing reputable data processors and having a written contract in place which deals with the necessary data protection requirements. 

If you are in any doubt about the detailed terms of a data processing agreement, we can help.



Brian can be contacted at Stone King, Solicitors.  For further news and information on legal topics of interest, please visit Brian's other blogs:


Brian Miller Solicitor's Computer Games Law Blog

Brian Miller Solicitor's IT Law Blog

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Cloud Service Providers Now Subject To Scrutiny Of Assurance Registry

After mounting concerns relating to the security of cloud computing, a new online platform is to enable users to assess the security features of registered cloud providers. The Security, Trust & Assurance Registry (STAR) hopes to encourage providers to improve their data protection security thanks to this increased transparency, as well as aid organisations using the providers to comply with data protection laws. The Working Party drew attention to firm’s lack of control over customer’s personal data when using cloud services. As cloud computing uses an internet based network in place of local computing resources, they stated that there is risk of "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures," by organisations using these providers.          Operated by not-for-profit body the Cloud Security Alliance (CSA), STAR hopes to limit such risks to data protection. The CSA’s members in...
Post a Comment
Read more

Ten Questions to Ask Your Cloud Provider

The use of cloud computing is on an exponential rise, as it offers users almost unlimited storage of data, reduces the need for organisations to have physical servers and allows easy access to information from anywhere in the world. As such, many UK based organisations are now turning to cloud computing to satisfy their data storage needs. But there is one issue which seeks to bring grey clouds over an otherwise silver lining and that is data security . By using the cloud instead of a physical storage device, organisations are obliged to hand over data to a third party cloud provider, some or all of which might be personal data within the meaning of the Data Protection Act. An organisation must therefore be sure, before it enters into a contract with a cloud provider, that its information will be kept securely and the provider’s handling of data will be compliant with the Act and any other applicable laws. Before you embark upon acquiring a business which uses cloud computing o...
Post a Comment
Read more

Jail Sentences for Data Protection Offenders

The House of Commons' Home Affairs Select Committee are encouraging the Home Secretary to introduce jail sentences as a possible punishment for data protection offenders. This is to act as a stronger deterrent than the current, quite ineffective fines.  It is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data", under Section 55 of the Data Protection Act (DPA). But now, personal data has never been easier to access and the risks of information being leaked are an increasing concern. There are many new suppliers of information who are unlikely to understand or take notice of the rules to which they must comply. While the maximum fine for committing a section 55 offence is £5,000 when the case is heard in a Magistrates Court, and unlimited when ...
Post a Comment
Read more