The London Borough of Islington has been given three areas in which to improve its data-protection work following an audit by the Information Commissioner’s Office (ICO).
According to the watchdog, there is a “reasonable level of assurance” that processes and procedures are in place and delivering data protection, but it warned there was “some scope for improvement in existing arrangements to reduce the risk of non-compliance with the Data Protection Act.”
According to the ICO, Islington self-reported several breaches of service-users’ data over the past three years, with one 2012 case considered serious enough to require a Civil Monetary Penalty.
The just-published summary of an inspection earlier this year found failings with Islington’s practices in relation to recording customers’ calls to its contact centre – in particular that call-recording was not disabled when service users provided payment card details.
The ICO report said Islington’s practice was a breach of Payment Card Industry accreditation requirements, but accepted that a project was under way to address the issue.
Additionally, the watchdog said the authority needed to improve its corporate oversight of performance in response to Subject Access Requests (SARs), used by members of the public to ask for details of the personal data held about them.
It said: “There is no centralised system for logging, processing and oversight of SARs, with departments maintaining spreadsheets containing varying levels of information. This situation should be improved with the proposed implementation of a bespoke corporate casework system to log all SARs received by the council.”
The ICO also found that new-starters and locums working for the council’s adult social services department were sometimes given access to its case-management system without any training. It said the problem was due to be addressed with an e-learning module to supplement the council’s monthly half-day training sessions.
The inspection report said Islington had several areas of good practice, with a “clear reporting mechanism” for both data breaches and IT security incidents, and that “significant work” had been undertaken by the council to develop a robust ICT infrastructure.
Councillor Andy Hull, Islington’s finance and performance lead, said the authority had been keen to benefit from the ICO’s scrutiny, and the “yellow” status awarded to the council following the audit placed it in the second-highest of four possible categories.
“During the information commissioner’s audit, a few areas were highlighted for development, as expected,” he said.
“Many of the commissioner’s recommendations have already been implemented and we are working towards the completion of the rest.
“All our residents, customers and service users can be confident that the data we hold is stored and handled securely.”
The ICO’s audit looked specifically at Islington’s training and awareness work, the security of personal data, and the handling of SARs.
An executive summary of the findings can be found here.