Scottish Borders Council data breach fine decision overturned

An appeal hearing has overturned a £250,000 fine for Scottish Borders Council over data protection failings.

The Information Commissioner's Office issued the Monetary Penalty Notice (MPN) in September last year.

SBC paid the fine to get a 20% discount but lodged an appeal saying the scale of it was "very disappointing".

A four-day hearing of the Information Tribunal ruled there were insufficient grounds to justify the MPN and that the money paid should be refunded.

The fine related to an incident in September 2011 when employee pension records were found dumped in a supermarket car park.

The ICO described it at the time as a "classic case of an organisation taking its eye off the ball when it came to outsourcing".

However, the fine imposed has now been overturned.

The tribunal has requested both parties work together to identify the progress made on improving processes and systems since the breach.

A joint report containing this information, along with any outstanding actions and a timetable to implement them, must be submitted to the tribunal panel by 10 September.

SBC Chief Executive Tracey Logan said: "I am extremely pleased with the outcome and have always strongly believed that the MPN issued by the ICO in this case was unjust and disproportionate.

"Of course, I acknowledge that there were gaps in our processes in this case - but we have taken significant steps to address these since the breach to ensure data protection continues to be a high priority across the council.

"We are committed to continue to work with the ICO to ensure our processes and policies are as robust as possible."

Council leader David Parker said he was "delighted" with the outcome.

He said the monetary penalty and been "excessive" in the current economic climate.

"Data and information security is a priority at SBC - and I am confident that the work taking place across the council to address any issues will be acknowledged appropriately in the future," he said.

The ICO said it had been informed of the decision to overturn the fine for what it described as "a serious breach of the Data Protection Act".

"We are disappointed with the result and await the full ruling from the tribunal confirming the reasons for its decision, before deciding whether to appeal," said a spokesperson.

"We do not take the decision to issue a monetary penalty lightly and follow a thorough process before serving an organisation with a penalty notice.

"The tribunal agreed with us that the breach, which led to over 600 pension records being found in an overfilled paper recycling bank in a supermarket car park, was a serious one, but we were unable to satisfy them that it was likely to lead to substantial damage or substantial distress being caused to the individuals affected."