The Information Commissioner’s Office has issued a reprimand after thousands of documents containing personal information were found dumped following a firm’s closure.
Personal data found in two unlocked shredding bins in Payroll Partners Limited’s vacated offices included Information Commissioner Alexandra Delaney-Bhattacharya’s own rental payments dating back to 2006.
This meant she could take no part in the investigation into the data breach.
Payroll Partners Limited had closed its payroll administration operations in the Isle of Man in March 2024 following a merger.
.png?width=209&height=140&crop=209:145,smart&quality=75)
.jpeg?width=209&height=140&crop=209:145,smart&quality=75)
In August that year, the company’s former landlord reported that two full, unlocked shredding bins containing personal payroll documents had been found in the company’s vacated office.
Given the reported amount and sensitivity of the data, the Information Commissioner’s Office decided to secure the documents while tracking down representatives of PPL.
The documents were transferred into 14 storage boxes.
‘Dip sampling’ of five boxes revealed more than 9,700 records.
These contained both personal and special category data, including names, salary information, dates of birth, immigration documents, financial records, identification documents, photographs, maternity and sick notes, and more.
Records ranged from 2006 to 2024.
In many instances, the personal data combined provided a comprehensive overview of of specific individuals, including name, address, dates of birth, and salary information.
With the Information Commissioner having recused herself, the Assistant Commissioner took control of the investigation.
PPL had co-operated with the investigation.
Once they were made aware of the shredding bins, the company attempted to retrieve them through local personal contacts.
But when this was unsuccessful, they didn’t pursue this through further formal legal procedures.
Despite learning that the shredding bins had not been disposed of as expected, PPL did not recognise the situation as a personal data breach.
They had not reported it to the Information Commissioner or assessed whether affected individuals should be notified.
The incident highlighted several underlying issues.
It showed that the business shutdown was not managed properly and the company didn’t have good enough controls in place to make sure paper records were destroyed safely.
Leaving the bins behind showed that the company failed to follow basic data protection rules, especially for handling sensitive personal information.
It didn’t understand when or how to report a data breach, and there was lack of accountability.
While the risk to individuals was ultimately assessed as low - largely because the premises were locked - this mitigation arose by chance rather than design.
The Information Commissioner’s Office only releases full infringement notices for the most serious cases, but has publicised the reprimand issued against PPL as a case study to help educate other organisations and inform people of their rights.
It says the case reinforces the message that organisations remain responsible for personal data throughout the entire lifecycle of their operations, including after closure.
Clear destruction processes are essential, it said, and holding vast amounts of data going back to 2006 showed a lack of retention policy.
The advice of the Information Commissioner’s Office is to only hold on to data that you need.