Information Commissioner’s Office gives Medway council six months to ensure it has a training course in place
Just last month, the council said its Twitter feed has been taken over by hackers Credit: Richard Drew/AP/Press Association Images
Medway Council has failed to ensure that mandatory data protection training was rolled out across the organisation, despite being advised to do so by the Information Commissioner’s Office.
The ICO had carried out an audit of the council back in October 2014 which provided ‘limited assurance’. It recommended that mandatory data protection training should be given to all staff and that there was regular refresher training that would be monitored.
In a follow-up audit in June 2015, the ICO found that the training had been implemented and it advised Medway Council to continue to roll this out across the organisation.
- ICO bids to promote data protection and privacy research with grants programme
- FOI complaints to data protection watchdog increase by 5%
- ICO: Councils need to sharpen up on data protection ahead of GDPR
In the same year, a Big Brother Watch report revealed that Medway Council has breached the Data Protection Act on eight occasions. Data had not been provided properly when it should have been, and in two of the eight breaches, an employee was disciplined internally. There were no resignations or convictions in either of those cases, while in the other six instances, disciplinary action wasn’t taken.
Just last month, the council said its Twitter feed has been taken over by hackers after a series of tweets set out dream policies of people claiming to be acting on behalf of the citizens of Medway.
In an enforcement notice, the ICO said it carried out a further investigation in the council’s compliance with the provisions of the Data Protection Act following two security breaches, although it did not specify which breaches these were.
It continued: “The data controller [the council] has failed to take adequate steps to ensure that mandatory data protection training has been rolled out, as advised”.
The Commissioner has given the council six months to ensure there is a mandatory data protection training programme for staff and refresher training at least every two years.
It said that delivery of the training should be tailored to reflect the needs of staff following an analysis. It also has to ensure that completion of any such training is monitored and properly documented.
The council can appeal the decision.