When a Scottish council computerised its pension records, it failed to ensure that the paper records were appropriately disposed of – and the result was a £250,000 fine.

After the work was completed, files were discovered to have been dumped in two paper- recycling bins. The files contained personal details of council employees, including names, addresses, National Insurance numbers and, in some cases, salary details.

The investigation by the Information Commissioner’s Office of the breach of data security showed that the council’s contract with the man entrusted to do the work did not have sufficient safeguards over data security and that he was not monitored to ensure that he was complying with the Data Protection Act 1998 (DPA).

Despite the fact that there was thought to be no loss of data, the potential for damage arising from misuse of the discarded data, which posed a high risk of identity theft, was such that a substantial penalty was warranted.