PolicyEdinburgh council ordered to improve data protection

Edinburgh council ordered to improve data protection

City of Edinburgh Council (CEC) has received criticism from the Information Commissioner’s Office after a recent audit found a “limited level of assurance that processes and procedures are in place.”

City of Edinburgh Council (CEC) has received criticism from the Information Commissioner’s Office after a recent audit found a “limited level of assurance that processes and procedures are in place.”

The council agreed to a consensual audit by the ICO Good Practice Department back in January 2014, to monitor its processing of personal data.

It was agreed by both parties that the audit would include analysis of the council’s record management, subject access requests and data sharing.

 

Considerable scope for improvement

The resulting report concluded: “The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA (Data Protection Act).”

The auditors’ report commended several areas of practice on display, including monthly reports generated to identify files which have not been returned, and the submission of draft sharing agreements to the Information Governance Unit (IGU) and Legal Services for review before the Information Council (IC) provide sign off.

However, the ICO concluded that CEC must still make significant improvements to be compliant.

 

Key areas requiring improvement:

  • There is no Information Security Manager or overarching Information Security Policy, contrary to the Local Public Services Data Handling Guidelines.
  • Information Asset Owners (IAOs) are not currently embedded at CEC and the corporate Information Asset Register (IAR) is in the nascent stages of development.
  • Only 3,000 (approximately) of the 18,000 workforce had successfully completed the mandatory Information Governance Foundation e-learning at the time of our visit.
  • There is no documented target for subject access compliance across CEC.
  • There is no record of the rationale for applying exemptions or withholding third party data in response to subject access requests.
  • The Covalent register of data sharing agreements does not have a dedicated field to record authorisation.

The council is now tasked with meeting these areas of improvement, though the ICO has not yet given it a specific time scale for completion.

Related Articles

Blueprint for government modernisation calls for 'Lego block approach'

Digital Transformation Blueprint for government modernisation calls for 'Lego block approach'

3m Austin Clark
CRM can help local authorities avoid costly FOI sanctions

Cyber Security CRM can help local authorities avoid costly FOI sanctions

3m Guest Writer
Voter ID trials ‘unnecessary and overbearing’

Policy Voter ID trials ‘unnecessary and overbearing’

4m Austin Clark
NHS Digital publishes guidance on data off-shoring and cloud computing

Cloud Computing NHS Digital publishes guidance on data off-shoring and cloud computing

5m Austin Clark
Rule changes to speed up rollout of mobile and fast broadband in rural areas introduced

Policy Rule changes to speed up rollout of mobile and fast broadband in rural areas introduced

6m Austin Clark
High speed broadband to become a legal right

Digital Transformation High speed broadband to become a legal right

6m Austin Clark
New technologies could help cut delays and disruption to Britain’s infrastructure

Data Insight New technologies could help cut delays and disruption to Britain’s infrastructure

6m Austin Clark
Scottish Government maps out online ID assurance service

Digital Customer Service Scottish Government maps out online ID assurance service

6m Austin Clark