Scottish Council fined over data protection breachesMonday, November 26, 2012
The Information Commissioner has fined a council £250,000 for a data breach that saw former employees' pensions records found in a paper recycling bank in a supermarket car park.
Scottish Borders Council, a Local Government Pension Scheme administering authority, employed a third party data processor, GS, to digitise the records of former pension scheme members. However, it put no contract in place with GS, failed to seek sufficient guarantees on how the personal data would be kept secure and did not regularly monitor how the records were being handled. The Information Commissioner found that the Council had contravened the Data Protection Act 1988, which requires certain data to be kept secure and effectively provides that a party which outsources its data processing remains legally responsible for the security of the data.
Although the decision involves a Scottish Council, it is significant for other data controllers in the pensions market, in particular trustees of pension schemes and employers providing pension arrangements and serves as a warning to ensure secure arrangements are in place for data processing.