Trowers & Hamlins

Sign up

Home » Resources » Blog » Local authority data protection - room for improvement

Local authority data protection - room for improvement
Trowers Public Insight

Local authority data protection - room for improvement

The Information Commissioner's Office (the ICO) reveals that Local Authorities have more to do in protecting the public's personal data.

The Information Commissioner's Office (the ICO) has recently published a report setting out its findings from audits of local authorities in 2013. The audits assess the arrangements that an organisation has in place for complying with the Data Protection Act 1998 (DPA) and the extent to which they are adhering to them.

Following an audit, local authorities are assigning one of four "assurance ratings" as follows:

  • High assurance - Limited scope for improving existing arrangements. Significant action unlikely to be required.
  • Reasonable assurance - Some scope for improvement in existing arrangements
  • Limited assurance - Considerable scope for improvement in existing arrangements
  • Very limited assurance - Substantial risk of non-compliance with DPA. Immediate action required.

Of the sixteen local authorities audited in 2013, none received a High Assurance rating, nine received a Reasonable Assurance rating, six received a Limited Assurance rating and one received a Very Limited Assurance rating. Although the report focuses on a small sample, it is clear that there is a great deal of room for improvement.

Helpfully, the report also sets out areas of good practice and useful case studies which local authorities would do well to adopt across six key areas:

Data protection governance – assigning ownership of information governance to key posts, for example, a Data Protection Officer (DPO) and a Senior Information Risk Owner (SIRO).
Records Management – making fair processing notices readily available to inform data subjects how their personal data will be processed and (where applicable) shared.
Requests for personal data – making key individuals and/or teams responsible for processing subject access requests.
Security of personal data – assigning information security responsibilities to establish relevant ownership and responsibility within the corporate information security framework.
Training and awareness – ensuring that key individuals and/or teams take clear ownership of and responsibility for data protection training.
Data sharing - maintaining logs of data sharing agreements to ensure that disclosures and any bulk sharing of information is tracked effectively.

At a time when local authorities are being asked to do more with less, data protection may find itself down the list of priorities compared to finding financial efficiencies and protecting front line services. However data protection failures can affect the a local authority's bottom line with the IOC levying fines on local authorities for the most serious breaches of the data protection principles totalling over £2.3m. This report therefore serves as a timely reminder of the importance attached to data protection both for the individual whose data it is and the authorities holding it.