Friday, February 08, 2013

Scottish Borders Council £250K data fine case goes to appeal tribunal as local authority is ranked 'worst' for data handling violations in entire UK

sbclogoScottish Borders Council was recently fined £250K for data breaches. SOUTH OF SCOTLAND local authority Scottish Borders Council (SBC) have been ranked the most unsafe local authority for data handling & security in the entire United Kingdom in terms of fines imposed by the Information Commissioner, putting SBC at the top of the list with a fine of TWO HUNDRED & FIFTY THOUSAND POUNDS.

The information was revealed in a Freedom of Information request made to the Information Commissioner’s Office detailing figures of 158 self-reported security breaches in the space of about 18 months, which local transparency campaigners claim renders many local authorities including SBC unfit for purpose while Council taxpayers are having to pay heavily for the carelessness of councillors and highly paid officials who seem to dodge accountability at every turn

Scottish Law Reporter recently reported on further developments in the case of the fine imposed on Scottish Borders Council, who have since appealed the ICO fine even though the Council agreed to pay £200,000 to the ICO late last year as a ‘discounted fine’ for its breach of the Data Protection Act. It was further revealed in our report that Scottish Borders Council will also face costs of up to £150K whether it wins or loses the appeal to the ICO over the fine.

BBC NEWS has also reported on the case, which is now going to a three panel judge hearing to be held between 20 and 22 March in Edinburgh or the Borders.

Legal experts are however predicting Scottish Borders Council will lose its appeal and deservedly so, as there appears no doubt the data breaches did occur and local authorities like all others must be made to comply with the law.

Information contained in the FOI release by the Information Commissioner stated :

1. There have been a total of 158 self-reported security breaches brought to our attention by local authorities.

2. The fines which can be issued by the ICO against any data controller for a breach of the Data Protection Act 1998 and Privacy and Electronic Communications (EC Directive) Regulations 2003 are known as monetary penalty notices (MPN’s).  Details of all MPN’s which have been issued by the ICO since our powers to issue fines came into effect are published on our website.  However, for the sake of clarity we can confirm the following MPN’s have been issued against local authorities:
11 September 2012 – Scottish Borders Council (£250,000)
6 June 2012 – Telford & Wrekin Council (£150,000)
15 May 2012 – London Borough of Barnet (£70,000)
14 March 2012 – Cheshire East Council (£80,000)
13 February 2012 – Croydon Council (£100,000)
13 February 2012 – Norfolk County Council (£80,000)
30 January 2012 – Midlothian Council (£140,000)
6 December 2011 – Powys County Council (£130,000)
28 November 2011 – North Somerset Council (£60,000)
28 November 2011 – Worcestershire County Council (£50,000)
9 June 2011 – Surrey County Council (£120,000)
8 February 2011 – Ealing Council (£80,000)
8 February 2011 – Hounslow Council (£70,000)

3.  The nature of the breaches have been recorded as follows (please note that from 1 April 2012 we have changed the way in which have recorded the nature of the breach/incident, hence we have provided two tables):

Pre April 2012: Disclosed in error - 50 Lost data/hardware – 8, Lost in transit – 5, Non-secure disposal – 2, Other – 6, Stolen data/hardware – 17, Technical/procedural failure – 4.

Post April 2012: Disclosed in error – 36, Lost or stolen hardware – 4, Lost in transit – 1, Lost or stolen paperwork – 10, Non-secure disposal of paperwork – 1, Other – non principle 7 incident – 1, Technical security failing (including hacking) – 2, Still awaiting classification - 1

No comments: