Councils’ information breaches worry watchdog

24 Feb 12
The information watchdog has told Public Finance it has ‘special concerns’ about local government’s compliance with data protection laws.
By Vivienne Russell | 24 February 2012

The information watchdog has told Public Finance it has ‘special concerns’ about local government’s compliance with data protection laws.

David Smith, deputy commissioner and head of data protection at the Information Commissioner’s Office, said: ‘It appears that local government hasn’t attached the same degree of seriousness to addressing the security of personal information [as other parts of the public sector].’

His remarks follow a spate of official reprimands and fines for councils from the ICO.

On February 15, Cheshire East Council was fined £80,000 after a council employee used an unsecure email account to alert local voluntary workers to police concerns about an individual working in the area.

Just two days earlier, Croydon Council and Norfolk County Council received penalties of £100,000 and £80,000 respectively for failing to keep sensitive information about child protection secure. And before that five other councils were named as having breached the Data Protection Act.

The fines are issued if the ICO judges the information breach to be serious, with a risk of substantial damage or distress to individuals, and if it is one which the body should have known about and taken steps to address. The ICO has the power to issue fines of up to £500,000.

That the majority of fines issued so far have been levied on local government showed it was a ‘serious problem’, Smith said.

But he dismissed suggestions that the financial climate was a factor. ‘There’s no doubt that the current financial climate doesn’t help, but many of the breaches we’ve seen were not really as a result of lack of money,’ Smith told PF.

‘Having some procedures in place, proper training and allocating responsibility isn’t very expensive. Most of this isn’t about big changes to computer systems or the like. These are legal obligations, not optional extras… it’s a baseline area where you have to find the money to do it.’

Smith said that several of the cases under investigation concern shared service arrangements and the question of where responsibility lies. He stressed that if data security responsibilities were not agreed before partnerships are entered into then ‘everyone is in the frame’ should a complaint to the ICO be made.

He urged councils to assess the risks on data security and the measures they need to put in place to manage those risks. They should also ensure that someone takes responsibility for data protection at board level.

Cheshire East Council said it had apologised to the person affected by its data breach and put in place measures to ensure the breach was not repeated.Spacer

CIPFA logo

PF Jobsite logo

Did you enjoy this article?