Information Commissioner's Office
Printable version

ICO orders Welsh council to improve on data protection

The ICO has ordered Anglesey County Council to improve its data protection practices after it repeatedly failed to address security and privacy issues.

Two separate security incidents as far back as 2011 led to the council signing undertakings to make changes and improve practices. But despite committing to the improvements, audit visits in July 2013 and October 2014 still found unresolved problems with the security of personal data.

Anne Jones, Assistant Commissioner for Wales said:

“It is not acceptable for an organisation to disregard the findings of audits or to fail to deliver promised improvements. Anglesey Council has not provided sufficient evidence to show it has implemented our recommendations to the standards we would expect.

“Put simply, the ICO lacks confidence in Anglesey County Council’s commitment to having the measures in place that are needed to keep people’s personal data secure. This enforcement notice puts an additional legal requirement on them to do so.”

The enforcement notice orders the council to put in place mandatory data protection training for all staff, maintain a records management policy and ensure appropriate controls are in place when staff leave the organisation.

It is a breach of the seventh Data Protection Principle to fail to take appropriate security measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  1. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  1. The ICO is onTwitterFacebookandLinkedIn. Read more in the ICO blogand e-newsletter.Our Press Office page provides more information for journalists.
  1. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection


Channel website:

Share this article

Latest News from
Information Commissioner's Office