£250k fine for dumping council workers' files in Tesco bins, er, binned I have just read the information tribunal decision and the reasons why the panel quashed the UK Information Commissioner’s £250,000 fine against the Scottish Borders council. The local authority was punished after a worker dumped employees' private data in bins at a nearby Tesco and another unnamed supermarket. It seems clear …
"typically… a name, an address, date of birth, national insurance number and salary. In some cases the files contained bank account details, a signature, a nominee to receive benefits”. In other words there was no sensitive personal data involved". I beg to differ this is sensitive personal data.
Otherwise a very interesting article.
I would consider my bank account details and signature as "sensitive" information, especially when combined with name, address, date of birth and possibly NINO.
Sensitive in this context doesn't mean information that could affect sensibilities, e.g. embarrassing or intimate; it means data that can compromise the security of important things - in this case, the bank accounts of the people who's data was carelessly discarded.
Given the act has been in force since 1998 its beyond doubt the person/s dealing with the documents knew about the act but chose to ignore it that's why work places have sensitive material boxes available which are safely destroyed.
Secondly a name,address, date of birth, national insurance number and salary is quite clearly considered sensitive data as defined under the act ,that's the whole point to provide adequate protection from misuse of such data.
"Finally, I think the idea of an MPN levied against any public sector data controllers lacks logic; there should be instead an offence associated with deliberately ignoring or grossly neglecting an obligation to comply with a data protection principle."
There should be both; an MPN levied against the named individual responsible for compliance in that specific case (and followed by their dismissal), and if no individual can be identified an offence of "failing to supervise" where the elected representatives (councillors or ministers) responsible for supervising their departments get automatically booted out of office, no pay-offs or parachutes.
All those boards and panels and committees and guidelines and bureaucratic crap. Costing how many millions of pounds of taxpayers' hard-earned money. And all failing to prevent someone doing the wrong thing.
A little common sense and common decency would go a long way. Fat chance.
"name, an address, date of birth, national insurance number" you're saying this isn't sensitive personal data? Like to give me your details and I'll see what I can do with them?
This whole thing is legalistic timewasting, they're guilty, fine the idiots half their annual budget. As for the perennial harping on about the taxpayers paying the fine, that's ok, the taxpayers are responsible for what is done in their name.
Firstly, have you ever actually tried to get anything out of a supermarket paper recycling bank? It isn't easy, to put it mildly; and if you manage to avoid injury, then at the very least you will draw attention to yourself trying.
Secondly, who's expecting for there to be anything "interesting" in there anyway? Chances are the contents are mostly junk mail and newspapers. Yes, that's "security by obscurity" and therefore not especially strong, but the question "which one of thousands of pieces of paper out of which bin is the one I'm looking for?" is a bit of an obstacle.
Thirdly, if someone's paying for some "waste product", you can be reasonably confident that they are actually going to recycle it properly.
All things considered, there are worse ways they could have tried to get rid of it -- and easier ways to get hold of people's sensitive personal data.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
