back to article Worker dumps council staff's private data in supermarket skip

The Information Commissioner's Office (ICO) deemed that Scottish Borders Council had been guilty of a serious breach of the Data Protection Act. The watchdog said the organisation had failed to manage the outsourcing of the personal data processing properly. The Council had arranged for a man, known only as 'GS', to "digitise …


This topic is closed for new posts.
  1. Andrew Moore


    > The Council had arranged for a man, known only as 'GS'

    I wonder if his middle initial is '4'...

  2. Number6


    It sounds to me like the information was outsourced very well.

  3. zaax

    Another Data Protection Officer get away with it as the local tax payer gets turned over for £¼m

    1. Anonymous Coward
      Anonymous Coward

      You assume the DP Officer had any input in this. In my experience I suspect they will have been left completely out of the loop sadly.

  4. Anonymous Coward
    Anonymous Coward

    GS would provide the Council with "unencrypted discs" containing the information, but the local authority was unaware that GS had been recycling the paper records during a "potential seven year period".

    Really the mind boggles at the ineptitude and lack of common sense. I wonder if they had someone in the office photocopying the records before handing them over and that person was plain too stupid to care what happened to them after that.

    1. Anonymous Coward
      Anonymous Coward

      You don't know Scottish Borders Council

      I've lived in a lot of local authority areas and had contact with those authorities in all of them. None of them is as amateurish as SBC.

      I moved into a new build development and from the start all sorts of mail started going astray. SBC (who named the street as they are required to do under the Civic Government (Scotland) Act 1982) wrote to me (at the wrong address and illegally using the edited electoral roll for the purpose) to tell me (and my neighbours in this street and the next) that it was *our* fault for using the address as they had named it and as it was registered with the Royal Mail. Naturally on investigation it turned out that this was instigated over G&T at the local golf club by a man who was accepting letters and packages not addressed to him (Postal Services Act 2000 - Section 84 offence; Post Office Act 1953) to the detriment of the family living at the same number property as he (although in a different street).

      I had the last laugh though due to the incompetence of a gas supplier when I changed supplier (providing the meter point ID in doing so) when they sent me a cheque for £2500 and cut off the hideous witch at the top of the road because they decided that I'd moved into her house and the new meter reading indicated that I'd used no gas for 10 years :)

  5. Mystic Megabyte

    Was GS's job advertised or was it a "down the lodge" gift?

  6. Dave Bell

    Tracey Logan, chief executive of Scottish Borders Council, said it was "very disappointing" that the body had been issued with a £250,000 fine but said the Council does "acknowledge the seriousness" of the breach.

    Yeah right.

    It sounds as if anybody with actual responsibility is going to get away with it, When they're saying there wasn't even a written contract, it's whisky tango foxtrot time. They should have a named person as data controller, shouldn't they? And how does something like that get past the accountants and auditors?

    1. Tom 7 Silver badge

      And how does something like that get past the accountants and auditors?

      You owe me a keyboard!

      If the accountants and auditors were allowed to do their job properly there would be no outsourcing or no councils.

    2. wowfood

      Problem here is

      The council is underfunded, so they go out and find the cheapest contract / deal they can in order to save money.

      The cheapest / off the books option is normally cheap for a reason, something gets fucked up and the council has a fine (in this case £250,000)

      The council then has less money, so they're once again forced to hire the cheapest / off the books people to do other jobs which will invariably lead to more of the same cockups.

      What's more stupid is they fine the government, which then goes back into the governmetn minus expenses. So by fining the council what they're effectively doing is throwing away probably £20,000 and reallocating the rest to the main government body.

      If the councils were better funded / didn't waste so much money on the pointless, they probably wouldn't have to hire the cheapest option, meaning they don't get slapped with fines, meaning more money overall.

      Rather than fining the council itself, they should have placed a fine on the individual who made the deal and had them axed afterwards for gross incompetence.

      1. Anonymous Coward
        Anonymous Coward

        Re: Problem here is

        "The council is underfunded wastes to much money on themselves, so they go out and find the cheapest contract..."

        Fixed it for you.

    3. Anonymous Coward
      Anonymous Coward

      Nope, the 'person or persons' refered to in the DPA are the corporate body itself rather than a specified individual so it is the Council that is the Data Controller.

  7. Anonymous Coward
    Anonymous Coward

    "the body had been issued with a £250,000 fine" ..

    but who will pay it - the officials responsible for supervising GS, who allowed the activities that led to the fine, and so should be held personally accountable for it, or the council's employees in general? No. The tax payer will end up funding it. So far no news about council staff being dismissed for allowing it, or council chief executive or any councillors falling on swords .. once again, irresponsible behavior by govt leads to public picking up the tab. They won't even name the idiot concerned.

    1. Tom 7 Silver badge

      Re: "the body had been issued with a £250,000 fine" ..

      re my previous post - if the council could afford proper auditing and accounting it would cost a lot more than the £250,000 fine. If a council could find a lawyer or an auditor that could see his or her way through these contracts to ensure that companies who did outsourcing behaved properly and were audited then one of several things would happen:

      1) They would be outsourced to the company who couldn't get their dodgy contracts accepted.

      2) That company would sue for some reason or other about the bidding process.

      3) They would start taking holidays in the Caymans.

      4) The government would change the law so their friends could get the council work without realistic overheads.

      5) etc etc ad projectile nauseam.

    2. Phil O'Sophical Silver badge

      Re: "the body had been issued with a £250,000 fine" ..

      Fine *all* the councillors as individuals, and bar them from holding public office again until they pay. They're happy to take collective credit when something good happens, so let them take collective responsibility as well.

      1. Lamont Cranston
        Thumb Up

        @Phil O'Sophical

        Oh, so very much this.

      2. mark 63 Silver badge
        Thumb Up

        Re: "the body had been issued with a £250,000 fine" ..

        Like it - its a step further than the "fine the director of IT" cries.

        Group responsibility Like in the army!

        He F**cked up, so you all do 50 laps!

  8. Evan Essence

    Lessons Will Be Learned

    "If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data."

    Right. Just like all the other "positives" in other cases.

  9. albaleo

    No privacy to protect

    This is the Scottish Borders. Everyone knows everything about everyone else. I'm surprised GS needed to be given paper records in the first place. He or she could have just asked Mrs Kerr along the road, and she would revealed how much everyone earned and what they were last in hospital for.

    1. cyclical

      Re: No privacy to protect

      Very true, I moved to the Borders 4 weeks ago, and am literally three miles from the nearest neighbour through some pretty rough terrain. Since I've been here I've had about 10 visitors asking who I was, was I local, what do you do, did I want to know the history of the area, do you want to see my dog, do you want to come shoot some pheasants. In 35 years of living in big cities I rarely got more than a 'Hey' from people who lived the next flat over.

      The first thing the local farmer told me was 'I just shot a man'. At least I think that's what he said. I don't think normal rules apply here.

  10. Magnus_Pym


    As others have said.

    Where does the money for this fine come from and where does it go?

    I suspect it come out of an already underfunded council budget into a central government slush fund. How does that help anyone?

  11. spanner

    Remind me. Who exactly was it who got the sack?

  12. Isendel Steel

    GS - obviously (a sack of cash and documents)

  13. rototype
    Paris Hilton

    This sounds like a classic....`

    ... passing the contract to one of the senior councillors mates (probably discussed on the golf course/over a few drinkies). - ie a backhander.

    The lack of controls is probably due to the fact the person 'awarding' the contract has absolutely no idea what controls are or even the slightest idea what data protection means. It was probably stipulated that the records needed to be unencrypted as no-one doing the processing has the nouse to understand what to do with encrypted files. (probably because they're paying peanuts - you know what sort of staff you get for peanuts)

    Paris 'cos I think even she'd manage to do it better.

  14. jumpyjoe

    Dosen't the council have a quality control office(r) which assesses whether the outsourced company conforms to the appropriate ISO standard eg. ISO 9001 and maintains that standard? This should be the minimum requirement of control and tracability for any council which outsources some of it's functions.

    Dishing out contracts ad hoc is a recipe for disaster.

  15. adam payne

    The fine will be paid by us the taxpayer not the council.

    What I would like to know is was the person known as GS fined as well? I would also like to know who was given the boot at the council?

  16. Mark C 2

    I know...

    Deduct the fine from the Councils collective pension fund - that should focus the attention of all of the employees.

    And, convert the final salary pension scheme to one funded by the employees, not the tax payer.

  17. LinkOfHyrule

    True story

    I know someone who as part of his work, was acting on behalf of a client who was a former employee of that council. Anyway, this person I know needed some info on his clients pension, so he called up the council to enquire - they told him to go look in the bins round the back of ASDA and if he couldn't find it there, try the bins outside Lidl!

  18. Triggerfish

    RE: Lessons Will Be Learned

    "If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data."

    Of course, because things like this have never happened before, I mean if I typed in say "council, data protection and breach" into a search engine there would be no prior examples at all.

    How much are these f'wits getting paid again?

  19. Corinne

    What I can't understand is why digitising these records required a contract for an external person to take them away, then return them in the electronic format.

    Anywhere I've worked that's needed data prep done has just employed a person (or more if there's loads of records) and set them up a PC working in the office, putting the data directly onto the internal systems. The paper copies can then be disposed of with the other confidential waste of which there's loads in any government body anyway, and there's no unencrypted portable media floating around.

    I doubt the cost of hiring one decent quality data prep person plus setting them up for a few months work, and the additional confidential waste disposal, would total up to the amount of the DPA fine now incurred either.

    1. MachDiamond Silver badge


      Corinne, you're dead right. It would be a perfect job for a couple of students in their off time to make a few quid. Admonish them about not telling any secrets they find out or they get 3 years of collecting rubbish every weekend. A broom closet with a high speed scanner and a pc is all it takes. Easy peasy and cheap as chips.

    2. Anonymous Coward
      Anonymous Coward

      The job was outsourced properly

      To a senior council employee's schoolboy son with a laptop and a scanner (supplied at thrice the cost by same councilors shell ousourced IT company).

      His local waste collector stopped picking up the black bags of shredded paper so he asked his mates to dump some off for him.

      1. Snapper

        Re: The job was outsourced properly

        Who said anything about them being shredded?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022