Worcestershire County Council is at “substantial risk” of failing to ensure proper data protection, according to an inspection report.
The Information Commissioner’s Office carried out a data protection audit in the wake of an incident in November 2011 where sensitive personal data was mistakenly released to the wrong parties.
The ICO has now concluded that there is only a “very limited assurance” that processes are in place to deliver data protection compliance.
Its report said: “The audit has identified a substantial risk that the objective of data protection compliance will not be achieved. Immediate action is required to improve the control environment.”
The audit revealed some areas of good practice, including mandatory data protection online training modules for all staff.
But it said that the council had no formal information governance structure in place, although a senior information risk owner has recently been appointed.
The ICO said that the council should appoint and train information asset owners and develop a comprehensive information asset register.
“This should identify all information assets held (both paper and electronic), detail owners of these assets and risk assess the threats to those assets,” it said.
This register should be maintained centrally by a named owner and updated at least annually.
According to the audit, responsibility for information governance is split between individuals in a number of different departments.
In addition, policy documents relating to data protection and information governance are “either not being regularly reviewed or, where reviews are taking place, records of these reviews are not being maintained”.
Some of the current policies do not identify key roles in relation to IG or describe key responsibilities, it added.
The ICO recommended the introduction of privacy impact assessments which should be embedded into project development and system design processes.
The council, according to the report, does not have a standard log or maintain a log of information sharing agreements.
The ICO recommended that Worcestershire should apply monitoring and disposal arrangements for projects that involve sharing data with other organisations.
Nobody from the council was available to comment on the report at the time of publication.