ICO: Councils need to sharpen up on data protection ahead of GDPR

Written by Rebecca Hill on 22 March 2017 in News

Survey shows lack of preparedness as data protection watchdog slaps £60,000 fine on Norfolk County Council

ICO tells councils to take action on data protection now - Photo credit: Fotolia

A survey carried out by the UK’s data protection watchdog has found that a quarter of councils don’t have a data protection officer, while more than 15% don’t provide data protection training for employees.

The Information Commissioner’s Office carried out the survey of around 180 councils at the end of last year, in a bid to spread awareness of the impending General Data Protection Regulation that will come into force in May 2018.

The survey results have been published at the same time as the watchdog gave Norfolk County Council a £60,000 fine for a 2014 incident where social work case files relating to seven children were left in a cabinet that was given to a second hand shop.

The ICO said that there was “no good reason” for oversight, and that the council should have had “robust measures” in place to protect the information.

It emphasised the importance of councils having the right staff and procedures in place, while noting that the survey showed councils were still some way from the ideal situation.

Related content

Socitm president Geoff Connell urges councils to combine data protection and exploitation roles
Same difference? How the GDPR will differ from the DPA – and what public servants need to do now
Public authorities ‘will find using consent difficult’, says ICO GDPR guidance

The survey, which was published on 20 March, found that 26% (45) of the councils do not have a data protection officer – a requirement of the GDPR.

In addition, 51% do not have a records manager, 45% have no appointed information security manager and 35% lack an information governance manager.

Meanwhile, 18% of councils said they did not have mandatory data protection training for staff that are processing personal data, which the ICO said was “concerning” as it is a vital part of limiting data breaches.

The ICO stressed that it was important that temporary staff are also given training, and that permanent staff had an annual refresher course – the survey found that a third did not run mandatory refresher courses.

The watchdog also urged councils to up their game on privacy impact assessments, after finding that 34% of councils don’t carry them out.

These assessments allow organisations to identify the best way to comply with data protection obligations, and will be a legal requirement under the GDPR for new technologies and when data processing is likely to result in high risk to the rights and freedoms of an individual.

Meanwhile, the survey found that a number of councils lacked high-level planning, management and monitoring of their compliance.

Some 37% said they did not have a data-sharing policy in place, while 57% said they lacked an information risk policy.

However, the ICO said it was “good to see that 93% of councils have a data protection and information security policy”, and 83% said they had a Freedom of Information policy.

It added that it was also important that councils kept track of the information they hold, and was able to use that to improve their data protection activities.

“It’s important for councils to consistently monitor and benchmark their levels of compliance in order to facilitate continual improvement,” the ICO’s head of good practice Anulka Clarke said.

This can be achieved through compliance reports and key performance indicators, she said – but noted that 27% of councils do not consider data protection training reports and KPIs.

Clarke said that councils that adhere to good practice measures under the Data Protection Act – which will be superseded by the GDPR – will be stood in good stead for the new regulation.

In a separate statement Clarke added that the ICO wanted to help councils meet their requirements. As in the case of Norfolk council, she said, the ICO would “issue fines where necessary, but we’d much rather work with councils to help them prevent data security incidents”.

Norfolk County Council’s head of information management, Geoff Connell – who took on the role in August 2016 – said that the council had used the ICO’s visits to “up its game” more broadly.

He added that it was important that the team didn’t use that as an end-point, and instead looked at it as part of continuous efforts to improve understanding of data protection and data sharing.

Share this page


Add new comment

Related Articles

Election 2017: Party manifestos urged to focus on IT systems for Brexit and championing digital leadership
2 May 2017

As parliament dissolves and the date of the poll marches closer, parties of all colours are working up their manifestos...

University of Surrey bags £1.1m to trial blockchain for healthcare, voting and digital archives
8 May 2017

Project plans include using distributed ledger technology to give healthcare workers secure access to biometric data...

Sadiq Khan seeks first chief digital officer for London
4 May 2017

Job offered at £107,000 as London Office for Data Analytics pilot indicates initial successes

Related Sponsored Articles

Impact of AI on UK jobs market divides opinion, says BT survey
14 June 2017

BT finds that IT Directors disagree over whether Artificial Intelligence will create or displace jobs

How big data is helping to transform the defence sector
8 June 2017

Bill Holford explores how big data is changing modern warfare, and argues for a defence big data strategy to ensure we are making the most of the opportunities ahead

Defence in a digital and disruptive era: innovation in IT
8 June 2017

BT looks at turning points within the UK defence sector, the evolving nature of warfare and how new cyber-attacks pose new questions for our national defence