Nearly half of audited councils give limited assurance on data protection: ICO

Six councils out of 16 audited by the Information Commissioner’s Office in 2013 were told they had “considerable room for improvement” when it came to complying with the Data Protection Act, while one authority was told that immediate action was required.

None of the audited councils received the highest assurance rating, the ICO revealed.

The watchdog's report, which can be viewed here, identified a number of areas that could be improved in the sector.

In relation to data protection governance, the ICO said:

  • An information governance strategy should be endorsed by the board to coordinate and drive compliance with legislative, regulatory and best practice information management requirements;
  • An agreed format, styling and version control process should be adopted for all policies and procedures as well as a defined process for review, ratification and approval, “to ensure that such guidelines are consistent and fit for purpose and continue to remain so”; and
  • A forum should be set up to help operational staff in raising data protection issues for wider and/or corporate consideration.

The report also listed improvements that could be made to aspects of records management, requests for personal data, security of personal data, training and awareness, and data sharing.

The ICO suggested there should be a mandatory and monitored training programme for the key employees responsible for processing subject access and third party requests for personal data.

In one case study it noted that a council “has not given formal specialised training to most employees processing subject access requests, and they tend to consult Legal Services for relevant advice”.

Also in relation to training, the watchdog called for appropriate and mandatory security awareness training for all employees in the organisation and where relevant, contractors and third party users.

It added that there should be foundation and periodic data protection related refresher training in line with corporate and/or departmental requirements.

Specific data protection training should meanwhile be given for specialised roles as appropriate, “for example, a DPO, SIRO, Records Manager, IAOs and relevant employees”.

The ICO report did also list areas of good practice it had observed. These included:

  • Assigning ownership of information governance to key posts such as a data protection officer or a senior information risk owner;
  • Publishing and making policies and procedures available to all employees to promote awareness;
  • Having information risk registers and/or reports;
  • Making fair processing notices readily available to inform data subjects;
  • Giving responsibility to key individuals and/or teams for processing subject access requests;
  • Assigning information security responsibilities to establish relevant ownership and responsibility within the corporate information security framework;
  • Performing quality assurance in relation to redaction of information and the application of exemptions;
  • Doing penetration testing and/or using intrusion detection software;
  • Making key individuals and/or teams take clear ownership of and responsibility for data protection training;
  • Compiling reports and communicating them;
  • Senior management signing off data sharing agreements; and
  • Maintaining logs of data sharing agreements.

John-Pierre Lamb, ICO Group Manager in the Good Practice team, said: “The Information Commissioner has levied monetary penalties to local authorities for the most serious breaches of the data protection principles totalling over £2.3m.

“The types of breaches we’re seeing are fairly consistent, with personal information being disclosed in error and lost or stolen paperwork and hardware prevalent.”

He added: “It’s clear that there’s room for improvement, and not just by the local authorities we visited: the areas for improvement we identified in those visits should prove helpful to many local authorities.

“By learning from the mistakes of others, and indeed learning from the examples of good practice we found, local authorities will improve their compliance with the law, and be less likely to find the regulator knocking on their door.

“Our figures show that local authorities have much to do to improve data protection governance and training. We recognise that councils are having ‘to do more with less’ due to ongoing budgetary pressures, but it is important to appreciate that the lack of effective governance structures and training programmes significantly increases the risk of serious breaches of the DPA.”