Data security incidents in local government rose by 34% at the start of 2016, but John-Pierre Lamb of the Information Commissioner’s Office says some solutions are easy to implement. Gill Hitchcock reports.
Taking details of an adoption case out of the office to work on at home probably seemed like a safe thing to do for one member of staff at West Dunbartonshire Council. But when a thief stole a laptop and paperwork from their car, a child’s medical reports were taken too.
This serious data security breach, in July 2014, came after repeated requests from the Information Commissioner’s Office for the council to implement data protection training, as well as its advice about a home working policy.
Despite this, West Dunbartonshire failed to act and the ICO issued a formal notice for them to do so in April this year.
John-Pierre Lamb, who leads one of three audit teams in the ICO, says that although training staff in data protection is relatively easy and cheap to implement, it is still is a fairly common problem in local government.
“There are lots of good online resources for data protection training, as well as lots of good organisations to provide this, including the ICO, the National Archives and the Information Records and Management Society,” he says.
But despite the risks of not doing so – the ICO can issue fines of up to £500,000 – it seems some councils aren’t taking this seriously enough.
Last autumn, Isles of Scilly Council was ordered by the ICO to implement training after two data breaches resulted in personal information about a disciplinary hearing and an investigation into the conduct of a head teacher being disclosed.
And, although most council have a good track record on information security, figures from the ICO for January to March 2016 reveal that the number of data security incidents in local government were up by 34% compared to the previous quarter.
Lamb acknowledges that resources are an issue. “Councils are obviously under extreme pressure from budget cuts and things like training, internal audits and information governance get cut,” he says.
But he believes that some councils have very good information governance teams that are undermined by a “culture” within senior management that does not take accountability and responsibility for data protection seriously.
“Sometimes information governance teams are sidelined, and not really integrated into the organisation,” says Lamb. “Even a very good data protection manager with a good data protection officer is going to struggle in that sort of environment. That is an issue we frequently find.”
Another challenge is the sheer volume and diversity of the information that local authorities handle.
“One of the key things about data protection compliance is understanding what records you hold, where they are, who is responsible for them and how long you are holding them for,” Lamb says.
And this problem, he says, is exacerbated for councils working across wide geographies and sometimes from offices in separate towns.
“When you add the diversity of geography, methods, functions and feeds, that all makes records management much harder and councils struggle,” says Lamb.
“A lot of them haven’t properly done a record management audit, they are not aware of all the records they hold, and they do not have a proper information assets register.”
Lamb’s team, which focuses almost exclusively on local government, consists of two managers and between six and eight auditors.
Its resources are limited, meaning the team can only carry out about 15 audits each year, which it does after risk assessing the councils it thinks would most benefit from their intervention.
“We don’t see an average council,” says Lamb. “Ideally we see those that are having the most difficulties with compliance, and they are not representative of the sector as a whole.”
Since 2010, when the ICO first gained the power to fine organisations for data protection breaches, councils have paid more than £2.35 million in penalties.
Although the office’s research suggests that fines are very effective in improving and promoting compliance with the Data Protection Act, Lamb is keen to point out that it is not the intention of the ICO to impose fines.
The office – which doesn’t get to keep the money – only does so as a last resort, in cases where the authority concerned has ignored previous warnings and committed a serious breach.
As councils seek to provide more efficient, joined-up services for citizens, they increasingly need to share data internally and externally, for instance with health and social care providers.
But the ICO’s data from the first quarter of 2016 indicates a problem: 21% of local government incidents (9 incidents) affected social care data and 16% (7 incidents) affected health or clinical data.
“There is a lack of knowledge about sharing data in a way that is compliant with data protection,” says Lamb, although he notes that the government is trying to address the complex legal area with its data sharing bill.
The ICO has long been promoting privacy impact assessments – which aim to identify potential risks in data collection and sharing – as a way for organisations to find out whether they are complying with the Data Protection Act.
However, after May 201 the European Data Protection Regulation will make privacy impact assessments an obligation.
“Some councils have grasped this and already have good privacy impact assessment procedures in place,” says Lamb. These, he adds, ensure that everyone involved understands that when the council is looking at sharing data it should be doing assessment, consulting with the information governance team and putting a data sharing agreement in place.
“Our audit process is absolutely designed to help, and when we go in it’s about providing practical solution to councils’ problems,” he says.
“If you talk to our enforcement colleagues though, they will tell you it’s still mostly about emails going to the wrong address, faxes going to the place,” Lamb says. “These are quite straightforward things to put right.”