From the Information Commissioner’s Office:
Walsall Council breached the Data Protection Act by accidentally dumping hundreds of local residents’ postal vote statements in a skip, the Information Commissioner’s Office (ICO) said today.
The statements – which were disposed of in March 2011 by an external contractor on the council’s behalf – included people’s names, addresses, dates of birth and signatures. Despite the council’s best efforts, 951 statements have not been recovered and are believed to have ended up in landfill or been destroyed.
The ICO’s investigation found that the council did not have a contract in place with the organisation processing this personal information. The council also failed to provide their contractor with instructions on how the information should be kept secure, as required under the Act.
Simon Entwisle, Director of Operations said:
“While councils can hire contractors to process personal information on their behalf, they must remember that they are still ultimately responsible for ensuring people’s information is kept secure. Obviously little thought was given to this when the statements were disposed of in the skip.
“We are pleased that Walsall Council has now taken action to make sure that adequate security measures are put in place.”
Paul Sheehan, Chief Executive of Walsall Council, has now signed a formal undertaking to ensure that contracts are put in place with all suppliers hired to process personal data on the council’s behalf. The council will also make sure that sufficient guarantees are agreed with their suppliers and will carry out checks to make sure that their own data protection polices and information security procedures are being followed.