Despite areas of good practice, there is room for improvement in how local authorities protect personal data, says an audit report by the Information Commissioner’s Office (ICO).
None of the 16 local authorities audited by the ICO in 2013 received a high overall assurance rating for compliance with the Data Protection Act (DPA).
One local authority was warned that immediate action was required, while nine were told they had some scope for improvement and six were told they had considerable room for improvement.
The report includes a list of areas for improvement identified by the audits, notably improving training and ensuring effective data protection governance is in place.
Despite budget cuts, it is important to appreciate the lack of effective governance structures and training programmes significantly increases the risk of serious breaches of the DPA, the ICO said.
More on the ICO
- ICO probes Facebook over psychology experiment data protection fears
- Wearable tech must comply with privacy laws, warns ICO
- UK police forces fail to impress in ICO audit
- ICO publishes guide on top IT security failings
- ICO issues data protection warning to users of Windows XP
- ICO updates corporate plan for better data protection
- ICO fines charity £200,000 for data breach
- Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO
- The ICO issues BYOD warning after breach
- ICO denies bias against public sector organisations
Although one local authority scored a high assurance rating for training and awareness, three were told there was some scope for improvement, two were told considerable improvement was required, and three were warned immediate action was required.
The report also lists examples of good practice found during the audits, in areas such as information security and records management.
The release of the report coincided with the ICO announcing that it has levied a £180,000 penalty on the Ministry of Justice for “serious failings” in personal-data protection at prisons in England and Wales.
“The ICO has levied monetary penalties to local authorities for the most serious breaches of the data protection principles, totalling over £2.3m,” said John-Pierre Lamb, good practice team group manager at the ICO.
“The types of breaches we are seeing are fairly consistent, with personal information being disclosed in error and lost or stolen paperwork and hardware prevalent.
“It’s clear there’s room for improvement and not just by the local authorities we visited. The areas for improvement we identified in those visits should prove helpful to many local authorities,” said Lamb.
The ICO hopes that by learning from the mistakes and good practice of others, local authorities will improve their compliance with the law.
Read more on Privacy and data protection
Sellafield local authority unsure if data was stolen six years on from North Korea ransomware attack
Hackney Council could be forced to answer questions about IT security training after Psya ransomware
ICO resumes adtech investigation
Department for Education failed to protect data on millions of children, says ICO