ICO: Councils need to sharpen up on data protection ahead of GDPR

Written by Rebecca Hill on 22 March 2017 in News

Survey shows lack of preparedness as data protection watchdog slaps £60,000 fine on Norfolk County Council

ICO tells councils to take action on data protection now - Photo credit: Fotolia

A survey carried out by the UK’s data protection watchdog has found that a quarter of councils don’t have a data protection officer, while more than 15% don’t provide data protection training for employees.

The Information Commissioner’s Office carried out the survey of around 180 councils at the end of last year, in a bid to spread awareness of the impending General Data Protection Regulation that will come into force in May 2018.

The survey results have been published at the same time as the watchdog gave Norfolk County Council a £60,000 fine for a 2014 incident where social work case files relating to seven children were left in a cabinet that was given to a second hand shop.

The ICO said that there was “no good reason” for oversight, and that the council should have had “robust measures” in place to protect the information.

It emphasised the importance of councils having the right staff and procedures in place, while noting that the survey showed councils were still some way from the ideal situation.

Related content

Socitm president Geoff Connell urges councils to combine data protection and exploitation roles
Same difference? How the GDPR will differ from the DPA – and what public servants need to do now
Public authorities ‘will find using consent difficult’, says ICO GDPR guidance

The survey, which was published on 20 March, found that 26% (45) of the councils do not have a data protection officer – a requirement of the GDPR.

In addition, 51% do not have a records manager, 45% have no appointed information security manager and 35% lack an information governance manager.

Meanwhile, 18% of councils said they did not have mandatory data protection training for staff that are processing personal data, which the ICO said was “concerning” as it is a vital part of limiting data breaches.

The ICO stressed that it was important that temporary staff are also given training, and that permanent staff had an annual refresher course – the survey found that a third did not run mandatory refresher courses.

The watchdog also urged councils to up their game on privacy impact assessments, after finding that 34% of councils don’t carry them out.

These assessments allow organisations to identify the best way to comply with data protection obligations, and will be a legal requirement under the GDPR for new technologies and when data processing is likely to result in high risk to the rights and freedoms of an individual.

Meanwhile, the survey found that a number of councils lacked high-level planning, management and monitoring of their compliance.

Some 37% said they did not have a data-sharing policy in place, while 57% said they lacked an information risk policy.

However, the ICO said it was “good to see that 93% of councils have a data protection and information security policy”, and 83% said they had a Freedom of Information policy.

It added that it was also important that councils kept track of the information they hold, and was able to use that to improve their data protection activities.

“It’s important for councils to consistently monitor and benchmark their levels of compliance in order to facilitate continual improvement,” the ICO’s head of good practice Anulka Clarke said.

This can be achieved through compliance reports and key performance indicators, she said – but noted that 27% of councils do not consider data protection training reports and KPIs.

Clarke said that councils that adhere to good practice measures under the Data Protection Act – which will be superseded by the GDPR – will be stood in good stead for the new regulation.

In a separate statement Clarke added that the ICO wanted to help councils meet their requirements. As in the case of Norfolk council, she said, the ICO would “issue fines where necessary, but we’d much rather work with councils to help them prevent data security incidents”.

Norfolk County Council’s head of information management, Geoff Connell – who took on the role in August 2016 – said that the council had used the ICO’s visits to “up its game” more broadly.

He added that it was important that the team didn’t use that as an end-point, and instead looked at it as part of continuous efforts to improve understanding of data protection and data sharing.

Share this page


Add new comment

Related Articles

West Yorkshire Police to roll out mobile scanners for on-the-spot fingerprint checks
13 February 2018

Devices are designed to check against national criminal and immigration databases and return results in under a minute

Drones and the city of the future
15 March 2018

Nesta’s Flying High Challenge is working with five UK cities to explore the use of drones in the delivery of public services. PublicTechnology talks to programme manager Nishita...

Technology must be embedded into frontline policing
13 March 2018

Sarah Timmis of think tank Reform discusses how digital can have a transformational impact for the emergency services

Related Sponsored Articles

How to quantify cyber risk
15 March 2018

BT's Malcolm Stokes explains how organisations can attribute accurate figures to cyber risks in order to make a viable business case.

Cyber security is one of the greatest man-made challenges of our time
6 March 2018

BT's Ben Azvine argues that the frequency and impact of breaches is increasing and we need to continuously adapt and innovate to stay ahead of the threat environment

Who keeps your organisation secure?
19 February 2018

BT's Amy Lemberger argues that having the right security in place to protect your organisation is no longer just an option. It is a necessity.