Breach details
| What |
Loss of sensitive personal data. |
| How much |
676 records. |
| When |
10 September 2011 |
| Why |
A member of the public noticed that a paper recycling bank had been overfilled with discarded files that contained personal information. Investigation showed that eight boxes containing 676 files had been deposited in the recycling bank by a data processor working for the council. |
Regulatory action
| Regulator |
ICO |
Action |
Monetary penalty of £ 250,000£ 0
Overturned on appeal to the Information Rights Tribunal |
| When |
11 September 2012 |
Why the regulator acted
| Breach of act |
There was no contract in place between the data controller and the data processor. Documents scanned for the data controller by the data processor should have been disposed of securely, or returned in person. |
| Known or should have known |
The data controller was holding confidential and sensitive personal data relating to its employees, including financial data and details of a pension scheme. The seriousness of such data should have been self evident. |
| Likely to cause damage or distress |
Financial and Medical data. The arrangement had been in place since 2005 and approximately 9000 pension records would have been processed and possibly incorrectly disposed of. |
Appeal
The MPN was overturned on appeal to the Information Tribunal.
View PDF of the Scottish Borders Council Appeal (Information Tribunal)
Links
