|Still much more to be done by LAs to comply with Best Practice / Legal Requirements|
The ICO has published the results of a survey completed by local councils at the end of last year, along with a blog highlighting guidance available (see second link below) to help councils achieve compliance with the new General Data Protection Regulation (GDPR).
Anulka Clarke, ICO Head of Good Practice, said: “The overarching conclusion from our analysis of the survey results was that, although there is a lot of good practice out there, with GDPR coming in May 2018, many councils have work to do to prepare for the new GDPR.
Some of the Findings:
*Although most councils carry out privacy impact assessments (PIAs), 34% of councils still do not. That will need to change. GDPR makes it a legal requirement for councils to conduct data protection impact assessments in certain circumstances. The ICO Privacy Impact Assessment Code of Practice provides more advice and will be reissued for GDPR in due course.
*37% of councils have no data sharing policy, despite increasing data sharing requirements to provide certain services. The ICO data sharing guidance can help change that.
*25% of councils told us they don’t have a data protection officer. Under GDPR the role of data protection officer is required in public authorities.
*Establishing an Information Asset Register (IAR) will help ensure a council knows what information it holds, where it is & which Information Asset Owner (IAO) is responsible for it. Yet our survey showed just 17% of councils has a complete IAR and 34% have yet to appoint IAOs.
*18% of councils did not provide mandatory data protection training for staff processing personal data. It is important councils remember to train temporary staff and provide annual refresher training for all staff. All the guidance on the ICO website can be used for training, including our dedicated training resource area.*It’s a good idea to have a proper incident management process. Yet the survey showed 14% of councils do not have an Information Security Incident Management Policy and 22% do not consider reports and KPIs for information security breaches.