The information watchdog has threatened a council with court action unless it implements data protection training and guidance.
West Dunbartonshire Council has been repeatedly warned by the Information Commissioner’s Office about introducing staff training, and has been advised to put in place a policy around home working.
However, its failure to do so has been linked to an incident where details of an adoption case were lost after an employee had a laptop and paperwork stolen from their car overnight.
Related content
Department for Education axes school spelling test after it was leaked online
Cybersecurity in the Government: Managing the ongoing challenge of insider threats
Ken Macdonald, assistant information commissioner for Scotland, said: “Time and time again we have told this council to make these changes, and yet they have still not completed everything we set out. We’ve been left with no choice but to issue this formal notice requiring them to act.
“Let’s be clear, what we’re asking for here is a basic requirement for an organisation that is trusted with large amounts of local people’s personal data. When people in Dunbartonshire provide the council with their details, they expect staff are trained to handle this information properly.
“Unfortunately, more than three years after this was made clear to the council, this still hasn’t happened.”
The ICO carried out an audit of the council in January 2013 which gave a reasonable assurance of the council’s compliance with the law, but recommended areas needing improvement.
However, a follow-up audit in November that year found that some recommendations had still not been implemented.
When the laptop and paperwork were stolen in July 2014, it turned out that the employee had not been given training on the Data Protection Act. However, the council avoided a fine at that time because the breach did not cause substantial damage or distress.