A Welsh council has been given three months to improve its data protection after the information watchdog found that it had failed to heed warnings.
The Information Commissioner’s Office has issued a legal enforcement notice requiring Anglesey County Council to implement a nine-point plan to improve security.
The council has been investigated four times since two security incidents sparked concerns in 2011 and 2012.
A report by the commissioner said it did not believe assurances from the council that it has now put corrective measures in place.
Anne Jones, Assistant Commissioner for Wales said: “It is not acceptable for an organisation to disregard the findings of audits or to fail to deliver promised improvements. Anglesey Council has not provided sufficient evidence to show it has implemented our recommendations to the standards we would expect.
“Put simply, the ICO lacks confidence in Anglesey County Council’s commitment to having the measures in place that are needed to keep people’s personal data secure. This enforcement notice puts an additional legal requirement on them to do so.”
Related content
Councils to share data to catch fraudsters
Cloud services – the shifting context
Following the original issues, the council signed undertakings to make changes and improve practices. However, two further audits in July 2013 and October 2014 found unresolved issues.
The enforcement notice requires the council to monitor and act on data protection incidents, introduce mandatory data protection training, ensure that back-ups are properly carried out and that access rights are revoked promptly when staff leave.
It added that the council needs to address its current lack of adequate storage solutions for manual records.
A statement from the council said that following the 2013 audit, it had implemented more than 100 recommendations in the space of 12 months, and that the 2014 follow-up showing “a significant improvement in compliance”. It added that it has now completed 22 of a further 66 recommendations identified in 2014.
“The council is surprised to receive the enforcement notice at this time and stage in its improvement,” it said.
“However, the council is currently considering the actions referred to in the enforcement notice and will continue to cooperate with the ICO to implement the work-plan.”