Councils in the UK have work to do ahead of the EU's General Data Protection Regulations, according to the Information Commissioner's Office's department for good practice.
The survey, which was conducted at the end of last year, quizzed 173 councils and found that many were not prepared for the more stringent data regime, which will come into effect from May 2018, with a significant number failing to even hire a data protection officer – a lawful requirement under the GDPR.
The full results of the survey were published on the same day that the ICO fined Norfolk County Council £60,000 for sending a cabinet with files containing sensitive information relating to children to a local second-hand shop.
Responses in the eight-page document [PDF] reveal that fewer than 18 per cent of councils have fully completed an Information Asset Register, and only 52 per cent are ensuring that third-party data processors have contractual obligations imposed upon them to meet the security requirements of data protection.
Infographic from ICO
More than 11 per cent of councils do not even maintain corporate logs regarding information security breaches, according to the survey, which also found a lack of adherence to information handling standards:
- 48.6 per cent of councils were in compliance with the Local Public Services Data Handling Guidelines 2014 standards.
- 44.5 per cent of councils were in compliance with the NHS Information Governance Toolkit (social care) standards.
- 88 per cent of councils were in compliance with ISO 27001.
- 43.4 per cent of councils were compliant with the Payment Card Industry Data Security Standard (PCI DSS).
- 79.8 per cent of councils were compliant with Government Security Classifications post 2 April 2014 (Official, Official – sensitive, Secret, Top Secret)
"It's vital all staff keep data protection in mind," the ICO's head of good practice Anulka Clarke wrote. "Staff not knowing what they need to about data protection is behind many of the information security incidents our enforcement team sees in the local government sector.
"Although the majority of councils told us they provide mandatory data protection training for staff processing personal data, we found it concerning that 18 per cent of councils did not," Clarke said, adding that a full index of the ICO's guidance for organisations seeking to dodge the new sanctions are available here. ®