The Information Commissioner's Office (the "ICO") audited 16 local authorities last year for their compliance with the Data Protection Act (the "DPA"). The report highlights the ICO's experience of personal data handling by these local authorities with the intention to help them, and others in the sector, identify areas for improvement.
The audit report includes an overall assurance rating for each of the local authorities participating, of which none received the high assurance rating for compliance with the DPA. Six of the local authorities were given a limited assurance rating (showing there is considerable scope for improvement in existing arrangements) with one local authority being given a very limited assurance rating, (meaning there is a substantial risk of non-compliance with immediate action required as a consequence).
Some councils had not developed a suitable management framework to ensure effective supervision of data protection compliance. The lack of a structured framework also reflected poorly in council policies and procedures. Services and/or individuals were able to create policies themselves without supervision or senior approval, and on occasion there was no procedure or forum to enable operational staff to raise data protection issues.
The audit report also identified a number of issues with training and record management. One of the councils has no corporate Records Management Policy, and no formal data protection training programme that incorporated records management. Within some councils there was particular lack of staff wide formal training focused on needs, with training often being held on an ad-hoc basis. Another council also failed to provide any formal specialised training to employees processing subject access requests, instead consulting Legal Services for relevant advice. Training and awareness was a particularly weak area, with a number of councils requiring immediate action due to the risk of serious breaches of the DPA.
The report serves as useful guidance to not only those councils that were audited but also others in the sector. The report highlights good examples of data protection compliance which can guide other councils in the development of their own data protection procedures. Similarly, the specific examples mentioned in the areas for improvement serve as a warning to organisations; setting out situations where there is a serious risk of non-compliance. As John-Pierre Lamb, ICO Group Manager in the Good Practice Team has stated, "by learning from the mistake of others… and from the examples of good practice found, local authorities will improve their compliance with the law, and be less likely to find the regulator knocking on their door."