ICO imposes £250,000 fine following failure to adequately supervise service provider

The Information Commissioner (ICO) yesterday imposed his second highest fine to date, and highest outside the NHS, on a Scottish local authority following inadequacies in relation to an outsourcing contract.

This case involved a local authority which outsourced the scanning of pension records to a third party, as part of a long term scanning project. The arrangement commenced in 2005, and involved the scanning of thousands of files. However, no written contract was in place between the local authority and the supplier, and it appears no supervision or monitoring of the supplier’s information security arrangements was ever carried out.

The problems came to light in September last year, when a member of public noticed that a paper recycling bank was overfilled with discarded files. Fortunately, the individual in question reported the find to the police, who in turn secured the site and alerted the local authority. Upon investigation, it turned out that almost 900 files had been disposed of by the supplier at recycling banks that day alone. Prior to the breach coming to light, the supplier a further 8,000 files having previously been disposed of by the supplier.

The records in question contained a large amount of personal data, including national insurance numbers, salary and bank account details. Some files also contained information on ill health benefits.

Data protection and outsourcing
When organisations think of outsourcing, they will usually think of high value projects involving IT or the outsourcing of entire business processes.

This case highlights that the same rules on data security apply to the performance of more routine, low value, tasks contracted out to third parties. The fact that this particular local authority had no written contract in place with the supplier, never mind robust provisions dealing with data security suggests that this appointment was likely an adhoc arrangement that did not go through the formal governance procedures.

It is also clear that supervision of the supplier’s activities fell through the cracks. Nevertheless, the local authority remains responsible under the DPA for ensuring that the data in question is adequately protected.

The case also serves as a reminder of the importance of exercising contactual rights of audit and oversight. It is not simply enough to include a data protection clause in a contract. The ICO expects data controllers to be able to demonstrate that they have carried out appropriate diligence on the adequacy of security measures put in place by their suppliers, and to continually monitor the supplier to ensure that the measures are being complied with and remain fit for purpose.

Justiciation for the penalty
As I have noted previously, when considering what security measures are appropriate, the ICO expects data controllers to take into account the sensitivity of the information involved, and likely distress that may arise from loss or unauthorised access.

In imposing such a high monetary penalty in this case, the ICO noted that serious contraventions had occurred, with breaches by the local authority of a number of other obligations under the Data Protection Act (DPA). These included failures to:

  • choose a supplier that provided sufficient guarantees in relation to information security measures;
  • take reasonable steps to ensure compliance with those measures; and
  • have in place a written contract with the supplier which obliged the supplier to act only on the local authority’s instructions and to comply with obligatisons equivalent to those imposed under the seventh data protection principle (which requires that appropriate measures are taken against unauthorised or unlawful processing of personal daya ana against acceidental loss or destruction of, or damahge to personal data).

ICO guidance
The ICO provides some guidance for organisations intending to outsource a service (or reviewing their existing contracts with service providers:

  • Always select a reputable organisation to work with;
  • Make sure the organisation has appropriate data security measures in place, including how it disposes of data
  • And make sure the organisation has appropriate security checks on staff too
  • Put a clear, enforceable contract in place
  • Make sure that contract requires the contractor to report any security breaches or other problems to you, and have procedures in place on how you will act if problems are reported
  • If you are going to transfer personal data outside of the European Economic Area, make sure you’re doing so in line with Data Protection Act 1998

For small to medium sized organisations, more detailed guidance is available on the ICO’s website.

The importance of reviewing your supply arrangements
Since the monetary penalty regime came into force, many organisations have focussed on their internal information security arrangements and staff training.

As the latest ICO fine makes clear, however, now is the time to:

  • review your supply arrangements to ensure that appropriate contracts are in place with suppliers (having regard to the activities of that supplier), that your suppliers are complying with their contractual obligations; and
  • separately review your policies on procurement, information security and the management of suppliers.

The cost of carrying out such a review is likely to be low compared to the potential fines that could be imposed by the ICO (and the reputational damage that follows) if any of those contracts are found to be deficient.

Brodies can help you to carry out such an exercise by working with your internal compliance and procurement teams to review the terms of your supplier contracts and your internal policies. To discuss this further, please contact me or your usual Brodies contact.

1 Response to “ICO imposes £250,000 fine following failure to adequately supervise service provider”

  1. 1 New ICO guidance on the use of cloud services « Brodies TechBlog Trackback on October 1, 2012 at 9:31 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

September 2012
« Aug   Oct »

%d bloggers like this: