ICO: Councils need to sharpen up on data protection ahead of GDPR
Survey shows lack of preparedness as data protection watchdog slaps £60,000 fine on Norfolk County Council
ICO tells councils to take action on data protection now - Photo credit: Fotolia
A survey carried out by the UK’s data protection watchdog has found that a quarter of councils don’t have a data protection officer, while more than 15% don’t provide data protection training for employees.
The Information Commissioner’s Office carried out the survey of around 180 councils at the end of last year, in a bid to spread awareness of the impending General Data Protection Regulation that will come into force in May 2018.
The survey results have been published at the same time as the watchdog gave Norfolk County Council a £60,000 fine for a 2014 incident where social work case files relating to seven children were left in a cabinet that was given to a second hand shop.
The ICO said that there was “no good reason” for oversight, and that the council should have had “robust measures” in place to protect the information.
It emphasised the importance of councils having the right staff and procedures in place, while noting that the survey showed councils were still some way from the ideal situation.
Socitm president Geoff Connell urges councils to combine data protection and exploitation roles
Same difference? How the GDPR will differ from the DPA – and what public servants need to do now
Public authorities ‘will find using consent difficult’, says ICO GDPR guidance
The survey, which was published on 20 March, found that 26% (45) of the councils do not have a data protection officer – a requirement of the GDPR.
In addition, 51% do not have a records manager, 45% have no appointed information security manager and 35% lack an information governance manager.
Meanwhile, 18% of councils said they did not have mandatory data protection training for staff that are processing personal data, which the ICO said was “concerning” as it is a vital part of limiting data breaches.
The ICO stressed that it was important that temporary staff are also given training, and that permanent staff had an annual refresher course – the survey found that a third did not run mandatory refresher courses.
The watchdog also urged councils to up their game on privacy impact assessments, after finding that 34% of councils don’t carry them out.
These assessments allow organisations to identify the best way to comply with data protection obligations, and will be a legal requirement under the GDPR for new technologies and when data processing is likely to result in high risk to the rights and freedoms of an individual.
Meanwhile, the survey found that a number of councils lacked high-level planning, management and monitoring of their compliance.
Some 37% said they did not have a data-sharing policy in place, while 57% said they lacked an information risk policy.
However, the ICO said it was “good to see that 93% of councils have a data protection and information security policy”, and 83% said they had a Freedom of Information policy.
It added that it was also important that councils kept track of the information they hold, and was able to use that to improve their data protection activities.
“It’s important for councils to consistently monitor and benchmark their levels of compliance in order to facilitate continual improvement,” the ICO’s head of good practice Anulka Clarke said.
This can be achieved through compliance reports and key performance indicators, she said – but noted that 27% of councils do not consider data protection training reports and KPIs.
Clarke said that councils that adhere to good practice measures under the Data Protection Act – which will be superseded by the GDPR – will be stood in good stead for the new regulation.
In a separate statement Clarke added that the ICO wanted to help councils meet their requirements. As in the case of Norfolk council, she said, the ICO would “issue fines where necessary, but we’d much rather work with councils to help them prevent data security incidents”.
Norfolk County Council’s head of information management, Geoff Connell – who took on the role in August 2016 – said that the council had used the ICO’s visits to “up its game” more broadly.
He added that it was important that the team didn’t use that as an end-point, and instead looked at it as part of continuous efforts to improve understanding of data protection and data sharing.
Jessica Russell of techUK believes increased collaboration between the emergency services and technology partners could deliver improved public-safety outcomes
New technology could eradicate need to remove liquids from hand luggage
Patients in Scotland given option of virtual appointments via PC or mobile device
Biostar 2 data leak compromises millions of sensitive data records but UK public sector users yet to detect any ill effects
After more than 20 years of stability, networks are going through a period of dramatic transformation. BT looks beyond the hype at the real benefits of virtualisation.
How can you stay ahead in the fast-paced world of digital technology? BT describes how it's a matter of focus...
The security threat landscape is confusing and changing rapidly – there’s so much out there, how do you understand where the true risks are? BT offers insight from their own experience
Organisations must alter their approach to cyber security recruitment in order to combat the global shortage of security professionals, writes BT