Dumfries and Galloway Council breached data protection laws by disclosing the names, salaries and dates of birth of nearly 900 staff, the Information Commissioner’s Office has ruled.
The personal data, recorded in a spreadsheet, was mistakenly made available for two months on a Council web site following an enquiry under the Freedom of Information Act. The spreadsheet was finally removed only after the Town Hall received complaints from a trade union and other affected individuals.
In response, Dumfries and Galloway commissioned an external audit of its procedures for responding to information requests and has said it will address any procedural weaknesses uncovered during the audit by January 2012.
The breach will give added weight to Information Commissioner Christopher Graham’s campaign for the power to conduct compulsory data protection audits in local government and the health service. Graham recently pointed out that the most serious personal data breaches, resulting in fines, have all occurred in the local government sector. Four of the six penalties served so far involved local authorities.
The Council said it would introduce appropriate checks to ensure that personal data is handled in compliance with the Data Protection Act.
Ken Macdonald, the ICO’s assistant commissioner for Scotland, said: “Being open about Council pay is a fundamental way that citizens can hold local authorities to account, but that should never be at the expense of upholding individuals’ privacy rights. Procedures clearly went wrong in this case and I’m pleased that the Council is reviewing its practices in light of the lessons that have been learned.”