A Scottish local authority has been fined £250,000 after the pension records of former employees were found in a paper recycling bank in a supermarket car park. The penalty has been imposed on Scottish Borders Council by the Information Commissioner's Office.
Many of the files contained salary and bank account details. They were discovered last year by a member of the public, who called the Police.
The council is quoted as saying it was "disappointing" to receive such a high fine.
A total of 676 files relating to the council's Local Government Pension Scheme were recovered from the recycling bank in September 2011. The council checked them against records and then securely destroyed them. A further 172 files had been processed at another recycling bank, but the council said this would have been carried out mechanically.
The Information Commissioner said the council had employed an outside company to digitise the records, but had failed to seek appropriate guarantees on how the personal data would be kept secure.
Ken Macdonald, Assistant Commissioner for Scotland, said: "This is a classic case of an organisation taking its eye off the ball when it comes to outsourcing. It is only good fortune that these records were found by someone sensible enough to call the Police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own. If one positive thing can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data."
Scottish Borders Council said measures had already been put in place to ensure there was no repeat of the incident. Chief Executive Tracey Logan, commented: "It is very disappointing to receive such a high monetary penalty from the ICO especially in the current economic climate. We do acknowledge the seriousness of this breach and have already taken steps to ensure data protection continues to be a priority across the council. We are fully committed to the complying with the terms set out in the ICO's undertaking."
Logan said that all contracts with suppliers were now established and monitored by specialist procurement staff and the council would continue to train, support and raise awareness on the importance of data protection.
She added: "This additional expenditure is obviously unhelpful at a time when public funding is already stretched. We do have robust financial monitoring processes in place across the council however, and have always ensured we have the funds available to cover such unforeseen costs within our reserves."
