Anglesey County Council, in Wales, must improve its data protection practices after repeated security failings, according to a legal notice issued by the Information Commissioner’s Office (ICO).
The ICO concluded that despite the council committing to making necessary changes, very little had actually been done to improve things.
Anglesey signed undertakings to upgrade its cyber security after two breaches in 2011and 2012. However, auditors visiting in July 2013 and October 2014 still found frailties around the council’s digital defence of personal data.
The ICO has issued the local authority with a nine-point plan to put in place robust new measures to improve its data protection procedures.
Key elements of the plan include:
- creating a records management policy
- providing mandatory data protection training for employees
- improving data security around outgoing staff
Failure to ‘deliver promised improvements’
Anne Jones, Assistant Commissioner for Wales commented:“It is not acceptable for an organisation to disregard the findings of audits or to fail to deliver promised improvements.
“Anglesey Council has not provided sufficient evidence to show it has implemented our recommendations to the standards we would expect.
“Put simply, the ICO lacks confidence in Anglesey County Council’s commitment to having the measures in place that are needed to keep people’s personal data secure. This enforcement notice puts an additional legal requirement on them to do so.”
Council ‘surprised’ to receive notice
The council issued a statement saying it had implemented more than 100 recommendations in the 12 months between its 2013 and 2014 audits and that the latter inspection had found “significant improvement”.
It stated: “Another 66 further recommendations were agreed in light of the re-audit in 2014 and to date the council has completed 22 actions. The council is surprised to receive the enforcement notice at this time and stage in its improvement.
“However, the council is currently considering the actions referred to in the enforcement notice and will continue to cooperate with the ICO to implement the work-plan.”