ICO’s £250k fine for Scottish Borders Council overruled

Scottish Borders Council has successfully appealed a £250,000 fine from the Information Commissioner's Office for breach of the data protection act.

The ICO fined the local authority in September last year, after employee pensions records were discovered in a recycling bin.

The council had appointed an external service provider to digitise its records. The ICO ruled that it had "failed to seek appropriate guarantees on how the personal data would b kept secure".

“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing," said the ICO's assistant commissioner for Scotland, Ken MacDonald, at the time.

Scottish Border Council paid the fine when it was asked, but appealed in October. It said it was "very disappointing" to receive such a penalty "in the current economy climate.

Today, the fine was overturned by the Information Tribunal, the court that rules on data protection and Freedom of Information cases, follow a four day hearing. The Tribunal has yet to give its reasons for overturning the fine.

"I am extremely pleased with the outcome and have always strongly believed that the MPN issued by the ICO in this case was unjust and disproportionate," said Scottish Borders Council CEO Tracey Logan in a statement.

"Of course, I acknowledge that there were gaps in our processes in this case – but we have taken significant steps to address these since the breach to ensure data protection continues to be a high priority across the council.

The ICO said it was " disappointed with the result and await the full ruling from the Tribunal confirming the reasons for its decision before deciding whether to appeal."

“We do not take the decision to issue a monetary penalty lightly and follow a thorough process before serving an organisation with a penalty notice," it added. 

"The Tribunal agreed with us that the breach, which led to over 600 pension records being found in an overfilled paper recycling bank in a supermarket car park, was a serious one, but we were unable to satisfy them that it was likely to lead to substantial damage or substantial distress being caused to the individuals affected.”

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics

Data Breach