Out-Law / Your Daily Need-To-Know

ICO survey highlights work for local authorities to meet requirements of the GDPR

Out-Law News | 21 Mar 2017 | 4:22 pm | 2 min. read

Some local authorities across the UK will need to take steps to update their data protection policies and practices to align with new EU data protection laws, the UK's data protection watchdog has said.

The Information Commissioner's Office (ICO) has published the results of a local government information governance survey (8-page / 166KB PDF) it carried out late last year. According to the results, 26% of councils have still to appoint a data protection officer as they will be required to do when the General Data Protection Regulation (GDPR) begins to apply on 25 May 2018.

The ICO also highlighted shortcomings in the approach some local authorities take to data protection training, data breach management and assessing the privacy impact of proposed new data processing activities.

In a blog detailing some of the results of the survey, the ICO's head of good practice Anulka Clarke said that a lack of knowledge among staff about data protection had been behind "many of the information security incidents" the ICO was aware of in the local government sector.

"Although the majority of councils told us they provide mandatory data protection training for staff processing personal data, we found it concerning that 18% of councils did not," Clarke said. "It’s important councils remember to train temporary staff and provide annual refresher training for all staff."

The ICO survey also found that about one in seven local authorities in the UK do not have an information security incident management policy in place.

"In the wake of an information security incident, swift reporting, containment and recovery of the situation is vital," Clarke said. "Every effort should be taken to minimise the potential impact on affected individuals. As such, it’s a good idea to have a proper incident management process. Yet our survey showed 14% of councils do not have an information security incident management policy and 22% do not consider reports and KPIs for information security breaches."

Under the GDPR, data controllers will be required to carry out data protection impact assessments prior to carrying out certain data processing activities. The DPIA obligation will apply "where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons".

However, according to the ICO's survey, more than a third of local authorities in the UK (34%) do not undertake such DPIAs to identify and reduce the privacy risks of any new process or project.

The survey also revealed that 37% of local authorities do not have a policy on data sharing and that fewer than half of authorities have contracts in place with all their data processors which "explicitly impose obligations" in relation to data security on those processors.

The results of the survey were published as the ICO also announced that it had imposed a £60,000 on Norfolk County Council over a data breach which stemmed from inadequate data disposal practices.

According to the ICO (16-page / 2.8MB PDF), a member of the public discovered social work case files in a cabinet they bought from a second hand shop which contained information about seven children.

The ICO held that Norfolk County Council was responsible for a serious breach of the Data Protection Act. It said it is "crucial" that councils have "the appropriate staff and procedures in place … [to] look after personal information properly" under the forthcoming GDPR.

Steve Eckersley, ICO head of enforcement, said: "The council had disposed of some furniture as part of an office move but had failed to ensure that the cabinets were empty before disposal. Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned – in particular about adults and children in vulnerable circumstances."

"For no good reason Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information. It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal," he said.