“Excessive” ICO fine against council overturned
A $250,000 data breach fine against a Scottish council has been overturned.
The Information Commissioner’s Office has the power to fine organisations up to £500,000 for breaches of the Data Protection Act.
Most of its fines have been levied on to councils and NHS bodies, although Sony recently agreed to pay a £250,000 fine after user data was leaked.
Last year, the Scottish Borders Council was fined £250,000 after 600 pension documents were found in a paper recycling bin in a supermarket car park. The council hired a third-party firm to digitise the records, but failed to ensure the documents were disposed of securely.
While the council paid the fine – as paying on time results in a 20% discount – it appealed the punishment.
To issue such a high monetary penalty on a public authority in this economic climate was excessive
After a four-day hearing, the Information Tribunal ruled the fine was not justified, and ordered the ICO to repay it. According to the ICO, it was unable to prove that the records would necessarily cause substantial damage or distress.
The ruling was welcomed by the council, with CEO Tracey Logan saying the fine was “unjust and disproportionate”. “Of course, I acknowledge that there were gaps in our processes in this case – but we have taken significant steps to address these since the breach to ensure data protection continues to be a high priority across the Council,” Logan added.
Council leader David Parker said “to issue such a high monetary penalty on a public authority in this economic climate was excessive”.
The council is still required to improve its data management.
The ICO said it was disappointed by the ruling and was considering appealing, calling the breach “serious”.
“We do not take the decision to issue a monetary penalty lightly and follow a thorough process before serving an organisation with a penalty notice,” it added in a statement to the BBC.