Local authorities can improve data protection, says ICO audit

There is room for improvement in how local authorities protect personal data, says an audit report by the ICO

Despite areas of good practice, there is room for improvement in how local authorities protect personal data, says an audit report by the Information Commissioner’s Office (ICO).

None of the 16 local authorities audited by the ICO in 2013 received a high overall assurance rating for compliance with the Data Protection Act (DPA).

One local authority was warned that immediate action was required, while nine were told they had some scope for improvement and six were told they had considerable room for improvement.

The report includes a list of areas for improvement identified by the audits, notably improving training and ensuring effective data protection governance is in place.

Despite budget cuts, it is important to appreciate the lack of effective governance structures and training programmes significantly increases the risk of serious breaches of the DPA, the ICO said.

Although one local authority scored a high assurance rating for training and awareness, three were told there was some scope for improvement, two were told considerable improvement was required, and three were warned immediate action was required.

The report also lists examples of good practice found during the audits, in areas such as information security and records management.

The release of the report coincided with the ICO announcing that it has levied a £180,000 penalty on the Ministry of Justice for “serious failings” in personal-data protection at prisons in England and Wales.

“The ICO has levied monetary penalties to local authorities for the most serious breaches of the data protection principles, totalling over £2.3m,” said John-Pierre Lamb, good practice team group manager at the ICO.

“The types of breaches we are seeing are fairly consistent, with personal information being disclosed in error and lost or stolen paperwork and hardware prevalent.

“It’s clear there’s room for improvement and not just by the local authorities we visited. The areas for improvement we identified in those visits should prove helpful to many local authorities,” said Lamb.

The ICO hopes that by learning from the mistakes and good practice of others, local authorities will improve their compliance with the law.

Read more on Privacy and data protection