The Information Commissioner's Office (the "ICO") audited 16 local authorities last year for their compliance with the Data Protection Act (the "DPA"). The report highlights the ICO's experience of personal data handling by these local authorities with the intention to help them, and others in the sector, identify areas for improvement.
The audit report includes an overall assurance rating for each of the local authorities participating, of which none received the high assurance rating for compliance with the DPA. Six of the local authorities were given a limited assurance rating (showing there is considerable scope for improvement in existing arrangements) with one local authority being given a very limited assurance rating, (meaning there is a substantial risk of non-compliance with immediate action required as a consequence).
Some councils had not developed a suitable management framework to ensure effective supervision of data protection compliance. The lack of a structured framework also reflected poorly in council policies and procedures. Services and/or individuals were able to create policies themselves without supervision or senior approval, and on occasion there was no procedure or forum to enable operational staff to raise data protection issues.
The audit report also identified a number of issues with training and record management. One of the councils has no corporate Records Management Policy, and no formal data protection training programme that incorporated records management. Within some councils there was particular lack of staff wide formal training focused on needs, with training often being held on an ad-hoc basis. Another council also failed to provide any formal specialised training to employees processing subject access requests, instead consulting Legal Services for relevant advice. Training and awareness was a particularly weak area, with a number of councils requiring immediate action due to the risk of serious breaches of the DPA.
However, despite these areas of weakness and the overall assurance ratings, the ICO identified a number of areas of good practice. Ownership of information governance was handled well in a couple of local authorities with Senior Information Risk Owners ("SIRO") and Data Protection Officers sitting on data protection and improvement steering groups, and a SIRO sitting on the Corporate Management Board. Some councils also had information risk registers with one council recording the data protection risks on corporate and operational risk registers alongside its planned activities to mitigate those risks. Records management and requests for personal data were also handled well by a number of councils, an example being a council's website privacy policy, which clearly informs data subjects of their rights under the DPA and links to more detailed pages which set out how to access personal data.
The report serves as useful guidance to not only those councils that were audited but also others in the sector. The report highlights good examples of data protection compliance which can guide other councils in the development of their own data protection procedures. Similarly, the specific examples mentioned in the areas for improvement serve as a warning to organisations; setting out situations where there is a serious risk of non-compliance. As John-Pierre Lamb, ICO Group Manager in the Good Practice Team has stated, "by learning from the mistake of others… and from the examples of good practice found, local authorities will improve their compliance with the law, and be less likely to find the regulator knocking on their door."
