Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more

Council data breaches are on the rise. Here’s what you can do about it

Laura Middleton
  • Comment

Local councils handle lots of information, much of which is sensitive.

If the security of this data is compromised, it doesn’t take much to imagine how distressing that could be for the people involved.

Unfortunately, it happens. The Information Commissioner’s Office has seen an increase in data security incidents in local government this year. There were 43 incidents between January and March 2016, 62 incidents between April and June and 62 incidents between July and September .

We understand local councils are working with limited resources and often increasingly shared services, but getting data protection right is non-negotiable. We want to help them to do this – not just because the law requires them to, but because the consequences of not getting it right can be devastating for the people involved.

The team I lead in the ICO’s enforcement department investigates local authorities that may have breached the Data Protection Act. If we find they have, they can face enforcement action including fines of up to £500,000.

Based on some of our recent investigations, I’ve identified some issues all councils should consider:

Staff training

Making sure staff know what they need to about data protection is relatively cheap and easy to do but many councils have not implemented sufficient staff training. This was evident in a recent case involving Ealing LBC where the council failed to follow our previous advice to improve training.

Data being sent to the wrong person by post, fax or email was among the top types of incident in this sector in both April-June and July-September this year. It is vital staff keep data protection in mind.

Know your records

Councils hold a lot of personal data across a wide range of departments. Know what records you hold, where they are, who is responsible for them and how long you keep them for. It can be useful to carry out a records management audit taking into account the eight data protection principles, detailed on our website,

Check home working practices

A Scottish council’s failure to implement a home working policy resulted in ICO enforcement action earlier this year after a medical report was stolen. We’re holding a webinar on this subject on December 14 which you can register for at

Integrate information governance teams

There are some excellent data protection officers out there but we sometimes find senior management do not share their commitment to avoiding a data breach. Data protection is a boardroom issue and, with an update to the EU’s General Data Protection Regulation around the corner, it’s vital that senior managers, as well as information governance officers, are prepared.

Check up on redaction software

Failure to redact data was one of the top types of data incident last quarter in the local government sector. Make sure staff are using the appropriate software.

Do you have policies in place?

If your council has a breach and our investigation finds you didn’t have adequate data protection policies in place, this could be held against you when we’re considering enforcement action. Make sure your policies are reviewed regularly.

Have a breach management process in place

It’s a good idea to have a proper breach management process and use it to learn from mistakes, stopping a minor incident becoming a major one next time.

There’s more advice for local councils on our website, as well as guidance around issues such as staff training, encryption and homeworking.

Laura Middleton, enforcement team manager, Information Commissioner’s Office

  • Comment

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions.

Links may be included in your comments but HTML is not permitted.