ICO council survey highlights pre-GDPR data protection challenges
Regulator's report finds some authorities are yet to introduce key information management personnel such as data protection officers and senior information risk owners
Just over a quarter of 173 councils surveyed by the Information Commissioner’s Office (ICO) late last year were found to not have a data protection officer in place to oversee their privacy obligations, according to new findings released by the organisation.
The data regulator said the findings formed part of its Local Government Information Governance Survey, which was conducted at the end of 2016 in order to determine existing good practice among local authorities and where changes may be needed.
With the European General Data Protection Regulation (GDPR) set to become part of UK law from mid-2018, it will be mandatory for local authorities to have a data protection officer in place, highlighting some of the challenges facing councils.
“The overarching conclusion from our analysis of the survey results was that, although there is good practice out there, with GDPR coming in May 2018, many councils have work to do,” said Anulka Clarke, head of good practice with the ICO.
“Adhering to good practice measures under the Data Protection Act (DPA) will stand organisations in good stead for the new regulations.”
Among other conclusions, Clarke said the ICO findings showed that over 15% of surveyed authorities did not provide data protection training for employees charged with processing data.
Of the same survey group, a third of councils were shown to not presently conduct privacy impact assessments. This will again be a legal requirement for all authorities under GDPR.
The findings noted that 114 councils out of the surveyed authorities, amounting to 65.9%, undertook Privacy Impact Assessments as part of efforts to indentify and reduce privacy risks from introducing new projects or processes.
In its survey, the ICO also played up the importance of planning to ensure that all council staff have an understanding of data protection to limit the possibility of breaches. Lack of knowledge among council staff of data protection and information management requirements was identified by the data regulator’s enforcement team as a driver for many incidents recorded at local government level.
The data regulator also urged councils to monitor and benchmark their compliance to understand ongoing issues that may need to be addressed.
“It is good practice for councils to appoint a Senior Information Risk Owner (SIRO) to help manage information risk, so we’re pleased to see that 90% have created this role,” noted Clarke.
“Local councils hold a lot of personal data across a wide range of services. Establishing an Information Asset Register (IAR) will help ensure a council knows what information it holds, where it is and which Information Asset Owner (IAO) is responsible for it. Yet our survey showed just 17% of councils has a complete IAR and 34% have yet to appoint IAOs.”