Local councils handle lots of information, much of which is sensitive.
If the security of this data is compromised, it doesn’t take much to imagine how distressing that could be for the people involved.
Unfortunately, it happens. The Information Commissioner’s Office has seen an increase in data security incidents in local government this year. There were 43 incidents between January and March 2016, 62 incidents between April and June and 62 incidents between July and September .
We understand local councils are working with limited resources and often increasingly shared services, but getting data protection right is non-negotiable. We want to help them to do this – not just because the law requires them to, but because the consequences of not getting it right can be devastating for the people involved.
The team I lead in the ICO’s enforcement department investigates local authorities that may have breached the Data Protection Act. If we find they have, they can face enforcement action including fines of up to £500,000.
Based on some of our recent investigations, I’ve identified some issues all councils should consider:
Making sure staff know what they need to about data protection is relatively cheap and easy to do but many councils have not implemented sufficient staff training. This was evident in a recent case involving Ealing LBC where the council failed to follow our previous advice to improve training.
Data being sent to the wrong person by post, fax or email was among the top types of incident in this sector in both April-June and July-September this year. It is vital staff keep data protection in mind.
Know your records
Councils hold a lot of personal data across a wide range of departments. Know what records you hold, where they are, who is responsible for them and how long you keep them for. It can be useful to carry out a records management audit taking into account the eight data protection principles, detailed on our website, ico.org.uk.
Check home working practices
A Scottish council’s failure to implement a home working policy resulted in ICO enforcement action earlier this year after a medical report was stolen. We’re holding a webinar on this subject on December 14 which you can register for at ico.org.uk/onthemove
Integrate information governance teams
There are some excellent data protection officers out there but we sometimes find senior management do not share their commitment to avoiding a data breach. Data protection is a boardroom issue and, with an update to the EU’s General Data Protection Regulation around the corner, it’s vital that senior managers, as well as information governance officers, are prepared.
Check up on redaction software
Failure to redact data was one of the top types of data incident last quarter in the local government sector. Make sure staff are using the appropriate software.
Do you have policies in place?
If your council has a breach and our investigation finds you didn’t have adequate data protection policies in place, this could be held against you when we’re considering enforcement action. Make sure your policies are reviewed regularly.
Have a breach management process in place
It’s a good idea to have a proper breach management process and use it to learn from mistakes, stopping a minor incident becoming a major one next time.
There’s more advice for local councils on our website, as well as guidance around issues such as staff training, encryption and homeworking.
Laura Middleton, enforcement team manager, Information Commissioner’s Office