Sergey Nivens - Fotolia
The Information Commissioner’s Office (ICO) has ordered Anglesey County Council to improve its data protection practices after it repeatedly failed to address security and privacy issues.
Two separate security incidents dating back to 2011 led to the council signing undertakings to make changes and improve practices.
But despite committing to the improvements, the ICO said audit visits in July 2013 and October 2014 still found unresolved problems with the security of personal data.
Anne Jones, assistant commissioner for Wales, said it is not acceptable for an organisation to disregard the findings of audits or to fail to deliver promised improvements.
“Anglesey Council has not provided sufficient evidence to show it has implemented our recommendations to the standards we would expect,” she said.
Jones added that the ICO lacks confidence in Anglesey County Council’s commitment to having the measures in place that are needed to keep people’s personal data secure.
“This enforcement notice puts an additional legal requirement on them to do so,” she said.
The notice orders the council to put in place mandatory data protection training for all staff, maintain a records management policy and ensure appropriate controls are in place when staff leave the organisation.
The seventh article of the Data Protection Act (DPA) requires organisations to take appropriate security measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The DPA also requires that personal data is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with citizens’ rights
- Not transferred to other countries without adequate protection