Out-Law News 2 min. read

Scottish council subject to ICO data protection investigation


The UK's data protection watchdog is investigating whether a Scottish local authority has breached the Data Protection Act (DPA).

On Thursday the Aberdeen Evening Express reported that Aberdeen City Council had suffered a data breach and that the incident was subject to an investigation by the Information Commissioner's Office (ICO).

The Council has subsequently confirmed to Out-Law.com that the incident in question occurred in February 2012 and that it reported the case to the ICO immediately. The case concerns the alleged loss of data after an employee in the Council's social work department allegedly used an unsecure computer network when working on files from home.

A spokesman for the Council said that he was not in a position to say how many people may have been impacted by the breach until the ICO formally publishes and notifies it of the outcome of its investigation. However, he said that the case did not involve a mass data protection breach but was instead very restricted in its nature.

Under the DPA the ICO has the power to issue penalties of up to £500,000 for serious data breaches. The Act requires organisations to take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" and requires organisations to be extra protective over sensitive personal data, such as patient medical records, due to the harm that can result from its unauthorised disclosure.

Most organisations, including local authorities, are not currently under a legal obligation to report data breaches to the ICO, but guidance previously issued by the watchdog states that the ICO "believes serious breaches should be brought to [its] attention".

The guide (6-page / 228KB PDF) outlines factors the ICO believes organisations should consider when assessing the seriousness of data breaches, including potential detriment to individuals affected as well as the volume and sensitivity of the data involved.

In April the ICO conducted a data protection audit of Aberdeen City Council (6-page / 108KB PDF) that focused on data protection governance, training and awareness provisions and monitoring and the security of personal data that the Council has in place.

In its audit report published in June, the ICO said that, following its audit, it has a "reasonable level of assurance" that the Council's "processes and procedures" deliver data protection compliance, although it did identify some areas for improvement.

"The Council takes its obligations with respect to data protection compliance seriously which is why it agreed to the assessment," a spokesperson for the Council said in reporting the outcome of the data protection audit

"The Council recognises that it deals with personal information of varying degrees of sensitivity and welcomes the recommendations the ICO have made as a result of this process. Work will be ongoing over the next six months to implement the recommendations made by the ICO. The Council found the assessment process invaluable and wishes to thank representatives of the ICO for their openess and support throughout the process," they said.

Often the ICO will propose a consensual audit of organisations after its attention is brought to a data breach.

Civil monetary penalties cannot be issued by the ICO if an organisation subject to a data protection audit subsequently experiences a data breach in relation to any concerns identified by the watchdog as part of that audit.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.