Information Commissioner's Office
 Printable version
|
Council rapped for data protection failings
A Scottish council has been rapped by the regulator for repeatedly failing to train staff around data protection.
West Dunbartonshire Council were told to implement training on several occasions, as well as being advised to put in place a policy around home working. But their failure to do so ultimately contributed to a data breach that led to a child’s medical reports being stolen.
The Information Commissioner’s Office carried out an audit of the council in January 2013. The audit gave a reasonable assurance of the council’s compliance with the law, but made recommendations for areas that needed improvement, including training for all staff and adopting a home working procedure. A follow-up audit in November 2013 showed progress, but showed some of the recommendations still had not been implemented.
In July 2014, the council reported a data breach to the ICO, after an employee had a bag containing confidential information stolen. The employee had taken details of an adoption case out of the office to work on from home, but a laptop and paperwork left in their car overnight were stolen.
An ICO investigation found the employee had not been given training on the Data Protection Act, and the council still had no guidance to staff on handling personal information when working from home. The council avoided a fine as the breach did not cause substantial damage or distress.
The council has now been issued with an enforcement notice obliging it to implement training and guidance, or face court action.
Ken Macdonald, Assistant Information Commissioner for Scotland, said:
“Time and time again we have told this council to make these changes, and yet they have still not completed everything we set out. We’ve been left with no choice but to issue this formal notice requiring them to act.
“Let’s be clear, what we’re asking for here is a basic requirement for an organisation that is trusted with large amounts of local people’s personal data. When people in Dunbartonshire provide the council with their details, they expect staff are trained to handle this information properly. Unfortunately, more than three years after this was made clear to the council, this still hasn’t happened.”
The ICO is the regulatory body in Scotland for data protection issues and Ken Macdonald leads its offices in Scotland and Northern Ireland. Scotland also has its own Information Commissioner to regulate the Freedom of Information (Scotland) Act that covers Scottish public authorities.
Notes for editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
- Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in line with your rights;
- secure; and
- not transferred to other countries without adequate protection.
- To report a concern to the ICO telephone our helpline on 0303 123 1113 or go to ico.org.uk/concerns.
