Underlying problem with data protection in local government, says the ICO, but what is to be done?

It was revealed this week that four local councils have been fined a total of over £300,000 for serious data breaches by the Information Commissioner.

According to this news that was circulated online:

‘The Information Commissioner’s Office is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, and if necessary without consent.’

The Councils issued with a penalty are:

  • Leeds City Council was fined £95,000 for sending sensitive personal details about a child in care to the wrong person
  • Plymouth City Council has to pay £60,000 for passing information to the wrong recipient including highly sensitive personal information about two parents and four children
  • Devon County Council was fined £90,000 after a social worker used a previous case as a template for an adoption panel report they were writing, but a copy of the old report was sent out instead of the new one.
  • London Borough of Lewisham was issued with a £70,000 penalty after a social worker left sensitive documents in a plastic shopping bag on a train after taking them home to work on.

Worryingly, a total of 19 councils have now been fined a combined sum of almost £2m for data breaches so far. A list of all public bodies issued with a penalty is available on the ICO website.

Human error?

Information Commissioner Christopher Graham said, “It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence.

“Far too often in these cases the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society.”

Public bodies have to be educated about data loss

Public bodies and private organisations in the UK handling personal data must comply with the Data Protection Act (DPA). Effective measures to reduce the likelihood of data loss by staff are long overdue.

The DPA is concerned with personal, as opposed to corporate, data; this applies to electronic data, as well as paper records. It also applies to data held in storage media including CCTV, websites and the Internet, as well as databases. The data covered by the DPA encompasses information on recruitment and selection of staff, employment records, staff monitoring and information about staff health.

One of the principles of the Act states:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. “

The above fines demonstrate that this principle clearly hasn’t been adhered to.

Act now – don’t wait until it is too late

  • Book your staff on a DPA training course and learn how to comply with the DPA
  • Use the DPA toolkit for a fast route to creating the necessary policies and procedures in your organisation that will help you adopt a structured approach to data protection.
  • Introduce a comprehensive data protection staff awareness programme and deploy DPA staff awareness e-learning as part of it.
  • Secure laptops and other portable storage devices using encrypted software.
  • Use only encrypted USB sticks for transferring personal data.
  • Use visual security products, such as privacy filters, in high-traffic and public areas to ensure confidential information is not seen by unauthorised individuals
  • Classify information, or use automated document classification software, to avoid sending confidential data to unauthorised recipients
  • Maintain a ‘clean desk’ and ‘clean screen’ policy to prevent unauthorised access to your documents.
  • Define a secure parameter to ensure no unauthorised access.
  • Don’t leave sensitive data unattended.
  • Destroy restricted and confidential information before putting it in the waste bin.
  • Be aware of e-mails and websites containing malware – check the links prior to clicking on them.