ICO: Councils need to sharpen up on data protection ahead of GDPR

Written by Rebecca Hill on 22 March 2017 in News

Survey shows lack of preparedness as data protection watchdog slaps £60,000 fine on Norfolk County Council

ICO tells councils to take action on data protection now - Photo credit: Fotolia

A survey carried out by the UK’s data protection watchdog has found that a quarter of councils don’t have a data protection officer, while more than 15% don’t provide data protection training for employees.

The Information Commissioner’s Office carried out the survey of around 180 councils at the end of last year, in a bid to spread awareness of the impending General Data Protection Regulation that will come into force in May 2018.

The survey results have been published at the same time as the watchdog gave Norfolk County Council a £60,000 fine for a 2014 incident where social work case files relating to seven children were left in a cabinet that was given to a second hand shop.

The ICO said that there was “no good reason” for oversight, and that the council should have had “robust measures” in place to protect the information.

It emphasised the importance of councils having the right staff and procedures in place, while noting that the survey showed councils were still some way from the ideal situation.

Related content

Socitm president Geoff Connell urges councils to combine data protection and exploitation roles
Same difference? How the GDPR will differ from the DPA – and what public servants need to do now
Public authorities ‘will find using consent difficult’, says ICO GDPR guidance

The survey, which was published on 20 March, found that 26% (45) of the councils do not have a data protection officer – a requirement of the GDPR.

In addition, 51% do not have a records manager, 45% have no appointed information security manager and 35% lack an information governance manager.

Meanwhile, 18% of councils said they did not have mandatory data protection training for staff that are processing personal data, which the ICO said was “concerning” as it is a vital part of limiting data breaches.

The ICO stressed that it was important that temporary staff are also given training, and that permanent staff had an annual refresher course – the survey found that a third did not run mandatory refresher courses.

The watchdog also urged councils to up their game on privacy impact assessments, after finding that 34% of councils don’t carry them out.

These assessments allow organisations to identify the best way to comply with data protection obligations, and will be a legal requirement under the GDPR for new technologies and when data processing is likely to result in high risk to the rights and freedoms of an individual.

Meanwhile, the survey found that a number of councils lacked high-level planning, management and monitoring of their compliance.

Some 37% said they did not have a data-sharing policy in place, while 57% said they lacked an information risk policy.

However, the ICO said it was “good to see that 93% of councils have a data protection and information security policy”, and 83% said they had a Freedom of Information policy.

It added that it was also important that councils kept track of the information they hold, and was able to use that to improve their data protection activities.

“It’s important for councils to consistently monitor and benchmark their levels of compliance in order to facilitate continual improvement,” the ICO’s head of good practice Anulka Clarke said.

This can be achieved through compliance reports and key performance indicators, she said – but noted that 27% of councils do not consider data protection training reports and KPIs.

Clarke said that councils that adhere to good practice measures under the Data Protection Act – which will be superseded by the GDPR – will be stood in good stead for the new regulation.

In a separate statement Clarke added that the ICO wanted to help councils meet their requirements. As in the case of Norfolk council, she said, the ICO would “issue fines where necessary, but we’d much rather work with councils to help them prevent data security incidents”.

Norfolk County Council’s head of information management, Geoff Connell – who took on the role in August 2016 – said that the council had used the ICO’s visits to “up its game” more broadly.

He added that it was important that the team didn’t use that as an end-point, and instead looked at it as part of continuous efforts to improve understanding of data protection and data sharing.

Share this page



Please login to post a comment or register for a free account.

Related Articles

MI6 chief calls for tech-enabled ‘fourth-generation espionage’
4 December 2018

In rare speech, top spy Alex Younger claimed that ‘the digital era has profoundly changed our operating environment’

Scottish Government to explore construction of GOV.UK Pay alternative
3 December 2018

Government to spend £300,000 building prototype of system that could handle both inbound and outbound payments

How to create a blockchain-powered digital nation
23 November 2018

Adopting the blockchain will help Scotland achieve its vision of becoming a fully digital nation and usher in an unprecedented era of economic growth, believes Neil McEvoy of DigitalScot.net

Related Sponsored Articles

Balancing security and digital transformation
26 October 2018

With the annual worldwide cost of cybercrime set to double from $3tn in 2015 to $6tn by 2021, BT offers advice on how chief information security officers can better protect their...

How the Internet of Things is revolutionising business
26 November 2018

BT thinks The Internet of Things is about to undergo a revolution. Over the past two decades, we've seen IoT tech evolve from a possibility, to a novelty, to an established tool that plays a vital...

Quantum cryptography and the future of security
19 November 2018

Quantum computers will soon make some of our strongest encryption useless. And that's where quantum cryptography comes in