The Information Commissioner’s Office gave the authority a “limited assurance” rating following a recent inspection.

It said that there is “considerable scope” to improve current arrangements to reduce the risk of compliance with the Data Protection Act.

The ICO report said: “We have made three limited assurance assessments in respect of each of records management, subject access requests and data sharing, where controls could be enhanced to address the issues…”

Related content

Edinburgh awards WAN contract
Cloud services - the shifting context

The council, it was discovered, has no information security manager or overarching policy – contrary to Local Public Services Data Handling Guidelines.

In addition, only 3,000 out of 18,000 stave have completed the mandatory Information Governance Foundation e-learning programme.

There is no record of the rationale for applying exemptions or withholding third part data in response to subject access requests, and the covalent register of data sharing agreements does not contain a dedicated field to record authorisation.

However, the ICO reported a number of positives, including the generation of monthly reports to identify files which have not been returned.

In addition, automatic emails are generated for subject access information deadlines, while services are required to produce and share draft sharing agreements.

Two months ago, the council signed a deal with supplier CGI combining a core contract with the ability to turn individual services on and off.