Local councils are being offered advice from the data protection regulator ahead of a new law coming into force next year. The Information Commissioner’s Office (ICO) has published the results of a survey completed by local councils at the end of last year, along with a blog highlighting guidance available to help councils achieve compliance with the new European Union General Data Protection Regulation (GDPR).
Anulka Clarke, the ICO’s head of good practice, said: “The overarching conclusion from our analysis of the survey results was that, although there’s a lot of good practice out there, with the GDPR coming in May 2018, many councils have work to do to prepare for this new law.”
On Monday 20 March, the ICO fined Norfolk County Council for a data breach involving social work files. “We will issue fines where necessary,” continued Clarke, “but we would much rather work with councils to help them prevent data security incidents. That’s why we undertook this survey, to find out where the problems are and why the ICO will be on hand in the run-up to May 2018 to help councils in their GDPR preparations.”
Taking care of personal information
The breach by Norfolk County Council came to light after social work case files were discovered in a cabinet purchased by a member of the public from a second hand shop. The case files included information relating to seven children.
Steve Eckersley, the ICO’s head of enforcement, explained: “The council had disposed of some furniture as part of an office move, but had failed to ensure that the cabinets were empty before disposal. Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned – in particular about adults and children in vulnerable circumstances. For no good reason, Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information. It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal.”
For its part, the new GDPR sets high standards for organisations when it comes to the privacy of personal data. Having the right staff and procedures in place will be key to ensuring councils look after personal information properly and comply with the new rules.
Talking about the ICO’s survey, which received a total of 173 responses, Marc Agnew (vice-president at ViaSat Europe) stated: “The ICO survey revealed that 37% of councils have no data sharing policy, which is a major concern as the public sector handles by far the largest amounts of sensitive data, meaning the opportunities for a breach are greatly increased.”
Agnew went on to say: “With the upcoming GDPR, the Government needs to do more to meet its obligations to securely handle personal information, while councils need to ensure that they’re providing effective education for their staff. The ICO can only do so much when it comes to providing guidance and subsequently fining offenders; organisations need to start taking data protection seriously and protect the often very sensitive data they hold.”
In addition, Agnew observed: “As more than 15% of councils don’t have data protection training in place for employees processing personal data, they need to look at the training workers are given and ensure they not only know how to reduce the risk of a successful attack, but also how to react to one. This includes assessing the security technology in use, from firewalls to anti-virus and on to encryption, but also the actual data such that any data that’s stolen is essentially worthless.”
New resources launched to help health sector
The ICO has launched a new set of resources aimed at improving records management in the health sector. The work was prompted by ICO audits in a broad range of health organisations, which discovered:
*33% of ICO audits of health organisations found no Information Asset Register or nominated information asset owners
*22% of ICO audits of health organisations unveiled issues with logging, tracking, movement or security of paper records
*200-plus self-reported breaches of data being posted or faxed to the incorrect recipient in the last financial year in the health sector
*200-plus self-reported breaches of paperwork lost or stolen across the last financial year in the health sector
The resources are based on the ICO’s experiences from those audits. They include tips and advice that complement existing ICO guidance, as well as practical resources that data protection officers, records managers and information governance specialists can use to help educate colleagues on how to ensure they’re operating in line with the Data Protection Act. Specifically, the resources include training videos, posters and Case Studies.
ICO Good Practice Group manager Leanne Doherty said: “The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after, whether that’s at large NHS hospitals or small private dentists. Unfortunately, our audits show a worrying trend of health organisations failing to properly manage the records they hold.”
Doherty added: “The people we speak to want to make sure that this is right. We’ve seen first-hand the professionalism and commitment of people working in information governance in this sector, and we know some of the challenges they face. We’ve looked to create resources that offer them practical support and give them the tools to improve approaches towards records management in their organisations.”
The new resources can be found at ico.org.uk/HealthResources
The ICO plans to offer similar sets of resources around other aspects of data protection in the health sector over the coming year.