Interesting....
> The Council had arranged for a man, known only as 'GS'
I wonder if his middle initial is '4'...
The Information Commissioner's Office (ICO) deemed that Scottish Borders Council had been guilty of a serious breach of the Data Protection Act. The watchdog said the organisation had failed to manage the outsourcing of the personal data processing properly. The Council had arranged for a man, known only as 'GS', to "digitise …
GS would provide the Council with "unencrypted discs" containing the information, but the local authority was unaware that GS had been recycling the paper records during a "potential seven year period".
Really the mind boggles at the ineptitude and lack of common sense. I wonder if they had someone in the office photocopying the records before handing them over and that person was plain too stupid to care what happened to them after that.
I've lived in a lot of local authority areas and had contact with those authorities in all of them. None of them is as amateurish as SBC.
I moved into a new build development and from the start all sorts of mail started going astray. SBC (who named the street as they are required to do under the Civic Government (Scotland) Act 1982) wrote to me (at the wrong address and illegally using the edited electoral roll for the purpose) to tell me (and my neighbours in this street and the next) that it was *our* fault for using the address as they had named it and as it was registered with the Royal Mail. Naturally on investigation it turned out that this was instigated over G&T at the local golf club by a man who was accepting letters and packages not addressed to him (Postal Services Act 2000 - Section 84 offence; Post Office Act 1953) to the detriment of the family living at the same number property as he (although in a different street).
I had the last laugh though due to the incompetence of a gas supplier when I changed supplier (providing the meter point ID in doing so) when they sent me a cheque for £2500 and cut off the hideous witch at the top of the road because they decided that I'd moved into her house and the new meter reading indicated that I'd used no gas for 10 years :)
Tracey Logan, chief executive of Scottish Borders Council, said it was "very disappointing" that the body had been issued with a £250,000 fine but said the Council does "acknowledge the seriousness" of the breach.
Yeah right.
It sounds as if anybody with actual responsibility is going to get away with it, When they're saying there wasn't even a written contract, it's whisky tango foxtrot time. They should have a named person as data controller, shouldn't they? And how does something like that get past the accountants and auditors?
The council is underfunded, so they go out and find the cheapest contract / deal they can in order to save money.
The cheapest / off the books option is normally cheap for a reason, something gets fucked up and the council has a fine (in this case £250,000)
The council then has less money, so they're once again forced to hire the cheapest / off the books people to do other jobs which will invariably lead to more of the same cockups.
What's more stupid is they fine the government, which then goes back into the governmetn minus expenses. So by fining the council what they're effectively doing is throwing away probably £20,000 and reallocating the rest to the main government body.
If the councils were better funded / didn't waste so much money on the pointless, they probably wouldn't have to hire the cheapest option, meaning they don't get slapped with fines, meaning more money overall.
Rather than fining the council itself, they should have placed a fine on the individual who made the deal and had them axed afterwards for gross incompetence.
but who will pay it - the officials responsible for supervising GS, who allowed the activities that led to the fine, and so should be held personally accountable for it, or the council's employees in general? No. The tax payer will end up funding it. So far no news about council staff being dismissed for allowing it, or council chief executive or any councillors falling on swords .. once again, irresponsible behavior by govt leads to public picking up the tab. They won't even name the idiot concerned.
re my previous post - if the council could afford proper auditing and accounting it would cost a lot more than the £250,000 fine. If a council could find a lawyer or an auditor that could see his or her way through these contracts to ensure that companies who did outsourcing behaved properly and were audited then one of several things would happen:
1) They would be outsourced to the company who couldn't get their dodgy contracts accepted.
2) That company would sue for some reason or other about the bidding process.
3) They would start taking holidays in the Caymans.
4) The government would change the law so their friends could get the council work without realistic overheads.
5) etc etc ad projectile nauseam.
This is the Scottish Borders. Everyone knows everything about everyone else. I'm surprised GS needed to be given paper records in the first place. He or she could have just asked Mrs Kerr along the road, and she would revealed how much everyone earned and what they were last in hospital for.
Very true, I moved to the Borders 4 weeks ago, and am literally three miles from the nearest neighbour through some pretty rough terrain. Since I've been here I've had about 10 visitors asking who I was, was I local, what do you do, did I want to know the history of the area, do you want to see my dog, do you want to come shoot some pheasants. In 35 years of living in big cities I rarely got more than a 'Hey' from people who lived the next flat over.
The first thing the local farmer told me was 'I just shot a man'. At least I think that's what he said. I don't think normal rules apply here.
... passing the contract to one of the senior councillors mates (probably discussed on the golf course/over a few drinkies). - ie a backhander.
The lack of controls is probably due to the fact the person 'awarding' the contract has absolutely no idea what controls are or even the slightest idea what data protection means. It was probably stipulated that the records needed to be unencrypted as no-one doing the processing has the nouse to understand what to do with encrypted files. (probably because they're paying peanuts - you know what sort of staff you get for peanuts)
Paris 'cos I think even she'd manage to do it better.
Dosen't the council have a quality control office(r) which assesses whether the outsourced company conforms to the appropriate ISO standard eg. ISO 9001 and maintains that standard? This should be the minimum requirement of control and tracability for any council which outsources some of it's functions.
Dishing out contracts ad hoc is a recipe for disaster.
I know someone who as part of his work, was acting on behalf of a client who was a former employee of that council. Anyway, this person I know needed some info on his clients pension, so he called up the council to enquire - they told him to go look in the bins round the back of ASDA and if he couldn't find it there, try the bins outside Lidl!
"If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data."
Of course, because things like this have never happened before, I mean if I typed in say "council, data protection and breach" into a search engine there would be no prior examples at all.
How much are these f'wits getting paid again?
What I can't understand is why digitising these records required a contract for an external person to take them away, then return them in the electronic format.
Anywhere I've worked that's needed data prep done has just employed a person (or more if there's loads of records) and set them up a PC working in the office, putting the data directly onto the internal systems. The paper copies can then be disposed of with the other confidential waste of which there's loads in any government body anyway, and there's no unencrypted portable media floating around.
I doubt the cost of hiring one decent quality data prep person plus setting them up for a few months work, and the additional confidential waste disposal, would total up to the amount of the DPA fine now incurred either.
Corinne, you're dead right. It would be a perfect job for a couple of students in their off time to make a few quid. Admonish them about not telling any secrets they find out or they get 3 years of collecting rubbish every weekend. A broom closet with a high speed scanner and a pc is all it takes. Easy peasy and cheap as chips.
To a senior council employee's schoolboy son with a laptop and a scanner (supplied at thrice the cost by same councilors shell ousourced IT company).
His local waste collector stopped picking up the black bags of shredded paper so he asked his mates to dump some off for him.