21.03.17
Councils urged to improve data protection practices to comply with GDPR
Many councils have considerable work to do to in order to comply with the new General Data Protection Regulation (GDPR) that will come into force in May 2018, a survey conducted by the Information Commissioner’s Office (ICO) has revealed.
The ICO questioned councils at the end of last year about the effectiveness of information governance practices receiving a total of 173 responses.
While the findings found that “positive measures” were being put in place in councils to ensure data was being handled and protected correctly, the survey also highlighted that there was “work to do” in many local councils to adhere to the Data Protection Act in order to fall in line with the incoming regulations.
Strikingly, only a quarter of councils had a data protection officer in place, despite the GDPR requiring that all public authorities have one by next year. On top of this, the ICO found that more than 15% of councils did not have data protection training available for staff processing personal data.
It was also found that around a third (34%) of local authorities didn’t have privacy impact assessments (PIA), another requirement that all councils will have to meet when the GDPR makes the assessments a legal requirement next year.
To bring councils up to speed with the new regulation, the ICO set out a number of key recommendations, including adopting a “privacy by design approach” by pushing councils to produce their own PIA processes as well as guidelines for staff to make sure that privacy issues are delivered alongside the projects, and also review the processes annually.
The importance of having the right staff in place and equipping them to know how to handle data was also revealed to be crucial.
ICO called for all councils to establish an Information Asset Register to help staff know what information the authority holds, where it is, and which Information Asset Owner is responsible for it. Data also needed to be consistently monitored and benchmarked to facilitate improvement.
The survey also said that staff needed better knowledge about the regulations, stating: “It’s vital all staff keep data protection in mind – staff not knowing what they need to about data protection is behind many of the information security incidents our enforcement team sees in the local government sector.”
The breaches the ICO refer to include Nottinghamshire Borough council, who announced that it had experienced a cyber security break last year. There was also concern raised at Redbridge Council when the ICO conducted an audit into the council’s data protection processes and found that its systems for handling and complying with data regulations was “unacceptable”.
The ICO added: “In the wake of an information security incident, swift reporting, containment and recovery of the situation is vital. Every effort should be taken to minimise the potential impact on affected individuals.
“As such, it’s a good idea to have a proper incident management process. Yet our survey showed 14% of councils do not have an Information Security Incident Management Policy and 22% do not consider reports and KPIs for information security breaches.”
Have you got a story to tell? Would you like to become a PSE columnist? If so, click here.