Data breach investigation as Scottish council puts documents in public bin

data breach

A data breach investigation has been started in Scotland after Highland Council used a public waste bin to dispose of public documents which were subsequently discovered by a member of the public.

The eight-page document, which held the private and personal information of 24 children, was found in a refuse collection point outside Highland Council’s headquarters in Inverness.

The discovery has prompted an urgent investigation into the incident, while the council at the centre of the storm has said it has notified the Information Commissioner’s Office of its actions.

Among the data exposed are full names, birth dates and the case numbers of 28 young health patients, one of whom is eight months old. One of the documents holds information on an adoption arrangement.

A spokeswoman for the council said:

“The council is investigating this as a matter of urgency. We have been in touch with the Information Commissioner’s Office and will be reporting the breach to them in due course.

“We do have a policy on the destruction of confidential waste which is covered by our Information Security & Assurance policy.”

Much of the documentation related to minutes taken at a panel meeting at Highland Council, which is the largest local government area in the United Kingdom. The material was uncovered by a citizen in the region who was looking into a fly-tipping issue in the locality.

Post-it notes were among the many papers uncovered, some of which bore enquiries made to the council. The whole collection was found on the floor in torn bin liners sitting on the surface of the an open bin.

MSP for Highlands and Islands, Rhoda Grant was unequivocal in her reaction, describing the data breach incident as “inexcusable”.

“Clearly this is a serious breach of confidentiality. The fact that these sensitive documents could have been accessed by the public is to, me, shocking and inexcusable. It brings into question, what training social work staff has had regarding confidentiality and GDPR.”

Bet McAllister, Depute Provost of Inverness said that in all her twelve years working at the council, this had been the worst data breach she had witnessed.

“I’m totally shocked. I am sitting here stunned; I can’t believe that. That’s really disappointing but I cannot understand how it’s happened,” McAllister said.

“Obviously I am going to have to investigate this because that should never have happened and I will make damn sure that it never happens in the future. In the 12 years I have been on the council I have never ever heard of anything like that,” she added.

The council’s own guidelines say that paper containing private data must be “disposed of using the council’s confidential waste paper disposal bins or other approved method”.

Raymond Bremner, councillor for Caithness said:

“This raises multiple questions about the policies and procedures that the Highland Council has in place in respect of data protection.

“How can we be so inconsiderate in respect of the sensitivity and nature of the material that has been found? I would like to sincerely thank the person who has reported this matter and I will be raising it tonight with the Chief Executive Officer at a meeting I will be attending.

“We need to get to the bottom of this and ensure the persons responsible are held to account so that we never have an incident like this again.”

A spokeswoman for the Information Commissioner’s Office said:

“All organisations have the obligation to keep personal data secure, whether in electronic or paper format, particularly when sensitive data is involved. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO and we can look into the details.”

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.