A recent fine imposed by the Information Commissioner on Scottish Borders Council demonstrates that employers can be liable for breach of data protection legislation by their contractors.
All employers handling data about employees must comply with the Data Protection Act 1998 (the Act) and in particular, the eight data protection principles set out in that legislation.
However, this obligation does not just apply directly to an employer but extends to all service providers who may be handling employees' personal data on behalf of that employer; for example, scanning and waste disposal companies.
Employers are highly likely to handle employees' "sensitive personal data", as defined under the Act, in the running of their day-to-day business. Sensitive personal data includes health records and marital status so will be particularly relevant in the context of pension administration.
Employers cannot abdicate their responsibilities and must be satisfied that their service providers are compliant with the requirements of the Act. This is borne out by a recent case in which the Scottish Borders Council was fined £250,000 by the Information Commissioner. In this case, 670 pension files were found by a member of the public in a supermarket recycling bin. The Council, in their capacity as employer and data controller, were held liable for the files being destroyed in a non-secure nature by their outsourced service provider who were responsible for scanning employee's pension files.
The Council had made several errors under the Data Protection legislation:
- no agreement in writing with the outsourced service provider
- had not checked the arrangements for handling sensitive personal data in the pension files
- failed to ensure that the scanned pension files were disposed of securely.
When it comes to Data Protection, employers are liable to pay the price for the failings of their outsourced service providers. It is therefore essential employers have streamlined and compliant arrangements in place to try to avoid incurring substantial fines due to the short comings of their outsourced service providers.
As a minimum there should be a written agreement between their data controller and their data processor, which should contain warranties regarding compliance with the data protection principles and an indemnity for any breach of the Act to encourage best practice.