The Information Commissioner has fined Scottish Border Council £250,000 under the Data Protection Act for not putting in appropriate guarantees when it outsourced responsibility to an external company to digitise employees' pension records.
Some 676 records were deposited by the unnamed company into a recycle bin in a supermarket car park, which contained information on employee salary and bank accounts. The files were spotted by a member of the public, who called the police.
A further 172 files deposited on the same day, but at a different paper recycling bank, are thought to have been destroyed in the recycling process.
The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed.
"This is a classic case of an organisation taking its eye off the ball when it came to outsourcing," ," said Ken Macdonald, ICO Assistant Commissioner for Scotland.
"When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place."
He added: "If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law."
The ICO last month also issued a swingeing £175,000 fine on a health trust that published a spreadsheet containing sensitive information on 1,400 employees on its website.