Continuing the unfortunate trend of public sector organisations falling foul of the Data Protection Act, we have another example of the ICO levying a large fine on a council.
Today the UK Information Commissioner’s Office (ICO) announced that the Scottish Borders Council has been fined £250,000 for allowing the improper disposal of personal data.
As is (worryingly) often the case, this incident was the result of a badly managed outsourcing arrangement which raises the spectre of other data losses yet to be discovered.
From the ICO’s press release:
Scottish Borders Council employed an outside company to digitise the records, but failed to seek appropriate guarantees on how the personal data would be kept secure.
…
The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed.
But Scottish Borders Council put no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled.
It is believed more than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details. The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process.
Based on this account, it appears that the Council entered into an outsourcing agreement with a third party firm but inexplicably failed to carry out any form of supply chain assessment to determine the suitability of this firm to delivery the necessary controls. It appears that this 3rd party firm then (inevitably) eventually got to the point where it was unable to dispose of the files and this resulted in an employee feeling that a supermarket recycling bin (and an overfilled one at that) was acceptable.
As the ICO points out, it is fortunate that the person who saw this contacted the police but it is never going to be possible to know if every file was recovered leading to a risk of identity theft for anyone whom the council had records on.
Without knowing the company involved, it is hard to speculate on the costs that the Scottish Borders Council saved by using this route to dispose of data, so one can only hope that it was significantly greater than the £250,000 fine.
Unfortunately for the council in question here, after paying the fine they are now going to have to go back and make sure all the correct controls are in place, which is likely to substantially increase the costs of the contract. In most cases, changing terms like this after an incident is significantly more expensive than ensuring they are in place before hand – an analogy is buying car insurance before or after you have had a crash…
The most important lesson here is that this is something that can happen to almost any organisation that processes personal data and then outsources disposal.
If you neglect to ensure security is built into the contract and can be delivered, there will be a security breach. It is inevitable.
Some top tips for any organisation (private sector or Government body) looking to outsource data disposal:
- Make sure there is a due diligence / supplier assessment carried out on the service provider before you sign the contract. As a bare minimum, this should include:
- Make sure the provider complies with a recognised security standard (such as ISO27001) for their activity and, ideally, is certified to that standard.
- Within the UK, you should also be looking for firms where the staff are properly screened (following a recognised process, such as BS7858) and the firm is a member of the SIA.
- A site visit must be carried out by either your security manager or a trusted professional.
- The contract terms must include the minimum acceptable security measures and have an enforceable punishment for violation. This should at least match the potential fine from the ICO and any resulting reputational damage.
- During the contract you must continue to monitor the provider. Too often companies see outsourcing as a way to forget about a “problem” but it should never be the case. When you outsource, you absolutely must have a suitably skilled professional to monitor the service being provided.
This will, inevitably, raise the costs of the outsourcing plans but it will pretty much eliminate the risk that the ICO will land a £250,000 fine and before long, individuals are likely to work out how to take legal action against people placing their personal data at risk.
Additionally, if you work for a data disposal company, security is pretty much essential for your business to survive. There is little doubt that if the disposal firm (which fails to train its staff well enough to prevent them dumping data into recycling bins) had been named by the ICO it would be close to out of business by now.
If you are offering a service disposing of any type of customer data (DPA personal or not), then it is essential that you follow good security practices and have reasonable security controls in place around how your employees dispose of that data. Anything else is not “cutting costs,” it is borderline malpractice. (Shareholders of data disposal companies take note!)
Over the next few months, Halkyn Consulting will look to producing some guidance and “help sheets” to assist companies in carrying out vendor security assessments and for service providers to make sure they follow good practice. In the interim, if you would like to discuss any of this, or see how it might impact your business, please get in touch.
