GLD Vacancies

ICO and DCLG warn local authority chief execs over data protection obligations

The Information Commissioner and the Department for Communities and Local Government jointly wrote to all local authority chief executives last month reminding them of their obligations under the Data Protection Act.

Christopher Graham, the Commissioner, and Sir Bob Kerslake, Permanent Secretary at the DCLG, also warned that the importance of looking after individuals’ personal information would take on “even greater importance” with the proposed transfer of responsibility for public health matters from the NHS to local authorities.

News of the letter came as five more councils gave undertakings to the ICO after breaching the DPA. The watchdog said all five cases involved the authorities failing to take steps to ensure personal information was secure.

One authority, Basingstoke and Deane Borough Council, admitted to breaching the Act on four separate occasions over a two-month period in 2011. An employee of Brighton and Hove Council meanwhile emailed the details of another member of staff’s personal data to 2,821 council workers in July last year.

The other councils giving undertakings to the ICO were: Dacorum Borough Council, Bolton Council and Craven District Council. None received a monetary penalty, however.

The ICO has also served an enforcement notice on a sixth council, Staffordshire County Council, over the mishandling of a subject access request.

In their joint letter Kerslake and Graham emphasised the importance of good information governance.

“We recognise the practical difficulties that you face in trying to achieve this objective against a background of re-organisation and financial constraint, but – with the localism agenda in mind – it is vital that information governance receives high level support in your organisation, from you and your senior colleagues,” they wrote.

Kerslake and Graham said they hoped the ICO’s powers to use monetary penalties would need to be used “only sparingly”, but highlighted the recent £130,000 penalty imposed on Powys County Council. (This has since been exceeded by the £140,000 penalty levied on Midlothian Council)

The letter said there were some actions that all local authorities “can and should take” to reduce the likelihood of a penalty being imposed. In this respect, all local authorities should:

  • “Have identified and trained a board level individual to act as the Senior Information Risk Owner;
  • Continuously make staff aware of the existing information governance policies and guidelines, emphasising the importance of following them in practice and that a breach of policy will be regarded as a disciplinary matter; and
  • Ensure that all staff undertake regular and relevant information governance training.”

Kerslake and Graham also stressed how transparency was a key priority for local government, saying it was important for all authorities to get into the practice of making information available proactively.

“The free availability of non-personal information is the key to the success of Government’s localism agenda,” the letter said. “It is also a legal requirement of the FOI Act and the Commissioner does have enforcement powers to ensure local authorities meet their legal obligations where it becomes clear that they are not already doing so.”

The letter also highlighted the ICO’s offer of data protection audits and the watchdog’s recently published Data Sharing Code of Practice.

Kerslake and Graham concluded: “Both of us would like to ensure that good information governance supports a successful approach to transparency while continuing to protect the privacy of individuals.

“Where, despite our joint efforts, data protection obligations are not met, the ICO will exercise its enhanced powers to take whatever action is appropriate. We hope that this will only be an exceptional approach.”

The Information Commissioner recently submitted a business case to the Ministry of Justice calling for the extension of his compulsory audit powers over central government to cover local government and the NHS.

Commenting today [10 February] Graham said: “At a time when councils are increasingly working with community partners, when data is shared it is vital that they uphold their legal responsibilities under the Data Protection Act. Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty.

“We must also consider the detrimental impact these breaches continue to have on the individuals affected."

Philip Hoult