Payroll firm reprimanded after thousands of personal records discovered in abandoned shredding bins

Information Commissioner finds payroll documents spanning nearly two decades left unsecured after company’s local closure

A payroll administration company operating on the Isle of Man has been formally reprimanded by the Information Commissioner after thousands of personal records were discovered in unsecured shredding bins left in a vacated office.

Payroll Partners Limited had ceased its local operations in March 2024 following a merger. However, several months later, the company’s former landlord reported finding two full, unlocked shredding bins containing payroll documents at the premises.

The discovery was reported to the Information Commissioner’s Office in August 2024, prompting the regulator to secure the documents while attempting to contact company representatives.

Officers collected the contents of the bins and transferred them into 14 storage boxes.

A preliminary “dip sampling” of five of those boxes revealed more than 9.700 records containing both personal and special category data.

The documents included names, salary information, dates of birth, immigration documents, financial records, identification papers, photographs and medical-related information such as maternity and sick notes.

The material dated from 2006 through to 2024.

In many cases, the records combined several pieces of personal information – such as names, addresses, dates of birth and salary details – which the ICO believes could have allowed a comprehensive profile of individuals to be created.

During the review process, it emerged that the Information Commissioner’s own personal data, relating to rental payments from 2006, was among the documents.

As a result, she recused herself from the investigation, with the Assistant Commissioner taking over responsibility for the case instead.

The investigation found that once the company became aware the shredding bins had not been disposed of as expected, it attempted to recover them through informal personal contacts.

When those efforts failed, no further formal legal steps were taken to retrieve the documents.

The regulator also found the situation had not been recognised by the company as a personal data breach, and had not been reported to the ICO. Additionally, no assessment was carried out to determine whether affected individuals should be informed.

According to the findings, the incident reflected several underlying issues, including ‘poor management of the business shutdown, inadequate controls for the secure destructure of paper records, and a lack of understanding about breach reporting obligations’.

The ICO believes leaving the binds behind demonstrated a ‘failure to follow basic data protection principles’ when handling sensitive personal information.

Although the overall risk to individuals was ultimately assessed as ‘low’ – largely because the premises remained locked – the regulator believes that protection arose by circumstance rather than design.

The case was publicised by the regulator to highlight ‘broader lessons for organisations handling personal data’.

It says businesses remain responsible for personal information throughout the full lifecycle of their operations, including during closures or mergers.

The ICO stressed the importance of ‘clear data destruction processes and retention policies’, noting that holding records dating back nearly two decades suggested inadequate data management practices.