A local authority has been told to take action to comply with data protection laws after an audit sparked by two breaches relating to personal data.
The Information Commissioner has given Central Bedfordshire Council a “limited assurance” rating following a series of interviews with council staff.
It recommended that the council takes action to improve data sharing practices, training and records management – the latter which was identified as a particular concern.
The ICO report said: “There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance.
“The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA.”
In particular, the ICO said that there is no role-specific data protection traning for employees with information ownership responsibilities or for those with access to sensitive information.
It also said that the council is lacking an information security manager and information security policy, contrary to guidelines on local public service data handling.
In addition, there is no corporate data sharing policy or log of all data sharing agreements.
On the positive side, the inspectors identified good practice relating to e-learning modules on data protection, plus robust controls to prevent unauthorised access to electronic records.
The ICO carried out the audit after its enforcement department was alerted to a case where the council incorrectly addressed a mailing of sensitive personal data, and a further one where it failed to redact a social worker’s personal data from a crime report.
The council was created from the merger of Bedfordshire County Council and Mid Bedfordshire and South Bedfordshire District Councils on 1 April 2009.