Anglesey County Council has been served an enforcement notice by the Information Commissioner’s Office (ICO) after failing to improve data security practices that it committed to following two separate security incidents.
The ICO issued the council with undertakings in January 2011 and December 2012 to ensure that remedial action was taken following two security incidents that were investigated by the ICO.
However, audits provided the ICO with “very limited assurance” that the council was complying with the Data Protection Act.
The commissioner has now exercised his powers, requiring that the council take certain steps to protect data over the next three months.
- Data protection KPIs and measures are monitored and acted upon (including the number and nature of information security incidents).
- There is a mandatory data protection training programme for all staff (including new starters) and refresher training on an annual basis.
- Completion of any such training is monitored and properly documented.
- Policies (including the Records Management Policy) are being read, understood and complied with by all staff.
- Information is backed up to the external server on a daily basis.
- Back-ups are tested periodically to ensure that they have not degraded and that information is recoverable.
- Physical access rights are revoked promptly when staff leave and periodically reviewed to ensure that appropriate controls are in place.
- The lack of adequate storage solutions for manual records is addressed.
- Consistent and regular monitoring is undertaken to enforce a clear desk policy.
Steve Watkins, director of IT Governance, said, “The nine recommended steps provided by the ICO are very similar to some of the requirements of the international standard that describes best practice for an information security management system, ISO 27001. This suggests that if the council had adopted an ISO 27001-based ISMS in the first instance, they may have avoided this enforcement notice, the bad press that’s come with it, and possibly the two data security incidents.”
To learn more about ISO 27001 and how it can help your organisation, download our free green paper Information Security & ISO 27001: An introduction.