ICO audits reveal governance failings in local authority data protection

The Information Commissioner’s Office has expressed concern at standards of data protection compliance within local government, saying that governance in particular is a common area for improvement.

Publishing an overview of the 19 audits undertaken at local authorities, the watchdog said just one had achieved the highest level of assurance.

Seven councils (37%) were rated overall as providing “reasonable assurance”, ten (53%) as providing “limited assurance” and one (5%) as providing “very limited assurance”.

The ICO acknowledged that it had observed good practice in security of personal data and records management.

However, in relation to governance, it noted:

  • Poor monitoring of compliance with Data Protection Act policies and processes;
  • A lack of assurance testing; and
  • The absence of effective information asset management.

The ICO also published reviews of the audits it has undertaken in the private sector, the NHS and central government. It said the private sector had performed the best, with 11 out of 16 companies providing the highest level of assurance.

However, the NHS (with 1 out of 19 achieving the highest mark) and central government (2 out of 11) revealed similar problems to local government.

Louise Byers, Head of Good Practice at the ICO, said: “While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.

 “The results of these reports show why we have requested an extension to our compulsory audit powers to cover the NHS and local government sectors. Organisations in these areas will be handling sensitive information, often relating to the care of vulnerable people. It is important that we have the powers available to us to help these sectors improve.”

The report on local government audits, which can be found here, suggested that overall controls could be enhanced with the introduction or development of the following:

  • The use of regular and enhanced compliance monitoring and reporting, in particular to Board level, to provide executive understanding of performance and to gain the support necessary to drive improvements.
  • The inclusion of information security and data handling in a programme of risk based internal audit.
  • The appointment of Information Asset Owners for all main systems (as per the Local Government Data Handling Guidelines), who are responsible for the creation and maintenance of Information Asset Registers which are then used to manage and track information assets effectively.
  • The implementation of processes and controls for the disposal/deletion of electronic records in a secure manner.
  • The development of guidance and reporting mechanisms for subject access requests, to track and monitor performance in meeting statutory timeframes.
  • The use of Privacy Impact Assessments for new (or significant changes to) information systems and data handling processes to identify and address information risks in the early stages of a project (as per the Local Government Data Handling Guidelines).
  • The development and delivery of specialised training to identified staff, based on job role requirements, i.e. Data Protection Officers, Senior Information Risk Officers, Information Asset Owners, Records Managers and subject access request handlers.

The performance ratings for the NHS were meanwhile as follows: high assurance (1); reasonable assurance (10); and limited assurance (4). None were assigned a “very limited assurance” rating.

This report suggested that the common area for improvement in this sector was security of personal data. In particular the ICO noted: poor network access controls; a lack of specialised information security and systems training; and the absence of effective information security compliance testing or asset management.

In relation to the 11 central government departments audited, two were awarded “high assurance” ratings and nine were described as giving “reasonable assurance”.

Whitehall’s common area for improvement was in the security of personal data. This was frequently attributed to limited network access controls, and poor records management in relation to security and access.

The audits were conducted between February 2010 and July 2012.

Philip Hoult