User menu

Watchdog issues Welsh council with data protection enforcement notice

A Welsh council has been hit with an enforcement notice requiring it to improve its data protection practices.

The Information Commissioner’s Office said Anglesey County Council had repeatedly failed to address security and privacy issues.

The ICO issued Anglesey with undertakings in January 2011 and December 2012 to ensure remedial action was taken following two security incidents.

The watchdog said an audit of the council carried out in July 2013 had only provided “very limited assurance”.

A follow-up audit in October 2014 revealed that the recommendations made in the undertakings and the July 2013 audit report had not been fully implemented by the council.

Responding to a preliminary enforcement notice issued in August this year, Anglesey argued that it had put compliance measures in place.

“Having reviewed the documents in support of the council’s representations and in light of the council’s previous record, the ICO only has limited confidence in the council’s commitment to implement the required steps on an ongoing basis,” the ICO said.

In the enforcement notice the watchdog said it was satisfied that Anglesey had contravened the Seventh Data Protection Principle in that it had failed to take appropriate security measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The notice requires Anglesey to:

  • Monitor and act upon data protection KPI’s and measures (including the number and nature of information security incidents);
  • Carry out a mandatory data protection training programme for all staff (including new starters) and refresher training on an annual basis;
  • Monitor and properly document completion of any such training;
  • Ensure policies (including the Records Management Policy) are being read, understood and complied with by all staff;
  • Back up information to the external server on a daily basis;
  • Test back-ups periodically to ensure that they have not degraded and that information is recoverable;
  • Revoke physical access rights promptly when staff leave and review this periodically to ensure that appropriate controls are in place;
  • Address the lack of adequate storage solutions for manual records; and
  • Undertake consistent and regular monitoring to enforce a clear desk policy.

Anne Jones, Assistant Commissioner for Wales said: “It is not acceptable for an organisation to disregard the findings of audits or to fail to deliver promised improvements. Anglesey Council has not provided sufficient evidence to show it has implemented our recommendations to the standards we would expect.

“Put simply, the ICO lacks confidence in Anglesey County Council’s commitment to having the measures in place that are needed to keep people’s personal data secure. This enforcement notice puts an additional legal requirement on them to do so.”