Survey shows lack of preparedness as data protection watchdog slaps £60,000 fine on Norfolk County Council
ICO tells councils to take action on data protection now – Photo credit: Fotolia
A survey carried out by the UK’s data protection watchdog has found that a quarter of councils don’t have a data protection officer, while more than 15% don’t provide data protection training for employees.
The Information Commissioner’s Office carried out the survey of around 180 councils at the end of last year, in a bid to spread awareness of the impending General Data Protection Regulation that will come into force in May 2018.
The survey results have been published at the same time as the watchdog gave Norfolk County Council a £60,000 fine for a 2014 incident where social work case files relating to seven children were left in a cabinet that was given to a second hand shop.
The ICO said that there was “no good reason” for oversight, and that the council should have had “robust measures” in place to protect the information.
It emphasised the importance of councils having the right staff and procedures in place, while noting that the survey showed councils were still some way from the ideal situation.
Socitm president Geoff Connell urges councils to combine data protection and exploitation roles
Same difference? How the GDPR will differ from the DPA – and what public servants need to do now
Public authorities ‘will find using consent difficult’, says ICO GDPR guidance
The survey, which was published on 20 March, found that 26% (45) of the councils do not have a data protection officer – a requirement of the GDPR.
In addition, 51% do not have a records manager, 45% have no appointed information security manager and 35% lack an information governance manager.
Meanwhile, 18% of councils said they did not have mandatory data protection training for staff that are processing personal data, which the ICO said was “concerning” as it is a vital part of limiting data breaches.
The ICO stressed that it was important that temporary staff are also given training, and that permanent staff had an annual refresher course – the survey found that a third did not run mandatory refresher courses.
The watchdog also urged councils to up their game on privacy impact assessments, after finding that 34% of councils don’t carry them out.
These assessments allow organisations to identify the best way to comply with data protection obligations, and will be a legal requirement under the GDPR for new technologies and when data processing is likely to result in high risk to the rights and freedoms of an individual.
Meanwhile, the survey found that a number of councils lacked high-level planning, management and monitoring of their compliance.
Some 37% said they did not have a data-sharing policy in place, while 57% said they lacked an information risk policy.
However, the ICO said it was “good to see that 93% of councils have a data protection and information security policy”, and 83% said they had a Freedom of Information policy.
It added that it was also important that councils kept track of the information they hold, and was able to use that to improve their data protection activities.
“It’s important for councils to consistently monitor and benchmark their levels of compliance in order to facilitate continual improvement,” the ICO’s head of good practice Anulka Clarke said.
This can be achieved through compliance reports and key performance indicators, she said – but noted that 27% of councils do not consider data protection training reports and KPIs.
Clarke said that councils that adhere to good practice measures under the Data Protection Act – which will be superseded by the GDPR – will be stood in good stead for the new regulation.
In a separate statement Clarke added that the ICO wanted to help councils meet their requirements. As in the case of Norfolk council, she said, the ICO would “issue fines where necessary, but we’d much rather work with councils to help them prevent data security incidents”.
Norfolk County Council’s head of information management, Geoff Connell – who took on the role in August 2016 – said that the council had used the ICO’s visits to “up its game” more broadly.
He added that it was important that the team didn’t use that as an end-point, and instead looked at it as part of continuous efforts to improve understanding of data protection and data sharing.