Information Commissioner's Office
Information Governance Survey: What councils need to do now
Blog posted by: Anulka Clarke, ICO Head of Good Practice, March 20, 2017.
We’re here to help local councils comply with the Data Protection Act and get ready for the new General Data Protection Regulation (GDPR) coming into force from May 2018.
The ICO’s Good Practice department conducted a survey at the end of last year to find out more about information governance practices in local government. It received 173 responses. We already knew from our work with councils that there are some positive measures in place at local authorities but wanted to find out more about patterns of existing practices.
The overarching conclusion from our analysis of the survey results was that, although there is good practice out there, with GDPR coming in May 2018, many councils have work to do. Adhering to good practice measures under the Data Protection Act (DPA) will stand organisations in good stead for the new regulations.
The stand-out findings from our survey are highlighted in the infographic below.
The links in this blog will direct councils to some of the key areas they need to consider in their GDPR preparations. And, as always, we will continue to be on hand with practical advice on how to improve.
Adopt a privacy by design approach
Our survey results found that although most councils carry out privacy impact assessments (PIAs), 34% of councils still do not. That will need to change. GDPR makes it a legal requirement for councils to conduct data protection impact assessments in certain circumstances. Our Privacy Impact Assessment Code of Practice provides more advice and will be reissued for GDPR in due course.
Councils will benefit from producing their own PIA process and accompanying guidance to ensure privacy issues are considered as part of projects.
When it comes to other important policies, it was good to see that 93% of councils have a data protection and information security policy. But 37% of councils have no data sharing policy, despite increasing data sharing requirements to provide certain services. Our data sharing guidance can help change that.
Councils should make sure all their data protection policies are reviewed annually.
Have the right staff in place
A quarter of councils told us they don’t have a data protection officer. Under GDPR the role of data protection officer is required in public authorities.
It is good practice for councils to appoint a Senior Information Risk Owner (SIRO) to help manage information risk, so we’re pleased to see that 90% have created this role.
Local councils hold a lot of personal data across a wide range of services. Establishing an Information Asset Register (IAR) will help ensure a council knows what information it holds, where it is and which Information Asset Owner (IAO) is responsible for it. Yet our survey showed just 17% of councils has a complete IAR and 34% have yet to appoint IAOs.
The Local Public Services Data Handling Guidelines set out in more detail what information governance roles councils should have in place.
As well as keeping track of the information held, it’s also important for councils to consistently monitor and benchmark their levels of compliance in order to facilitate continual improvement. This should be achieved through compliance reports and key performance indicators (KPIs) considered by a Corporate Information Governance Group (CIGG). Our survey found –31% of councils do not have a CIGG and 27% do not consider data protection training reports and KPIs.
Do council staff know what they need to know?
It’s vital all staff keep data protection in mind – staff not knowing what they need to about data protection is behind many of the information security incidents our enforcement team sees in the local government sector.
Although the majority of councils told us they provide mandatory data protection training for staff processing personal data, we found it concerning that 18% of councils did not.
It’s important councils remember to train temporary staff and provide annual refresher training for all staff. All the guidance on our website can be used for training, including our dedicated training resource area.
In the wake of an information security incident, swift reporting, containment and recovery of the situation is vital. Every effort should be taken to minimise the potential impact on affected individuals. As such, it’s a good idea to have a proper incident management process. Yet our survey showed 14% of councils do not have an Information Security Incident Management Policy and 22% do not consider reports and KPIs for information security breaches.
The guidance highlighted in this blog is just a selection of help available from the ICO. Councils still need to be complying with the DPA in the run up to the implementation of GDPR. Adhering to good practice measures under DPA will stand organisations in good stead for the new regulations. We’ll be updating the dedicated GDPR section of our website regularly with more information and guidance. The ICO also offers audits, a full index of guidance and a helpline service.
Thanks to all those who took part in the survey. You can view the full results of the survey here.
Anulka Clarke joined the ICO in June 2004. Since 2015 Anulka has worked as an Audit Group Manager with responsibility for the Telecommunications sector, working with Data Protection, Privacy and Electronic Communications and Investigatory Powers legislation.
Latest News from
Information Commissioner's Office
Statement in response to media enquiries about the Data Protection Impact Assessment for the NHSX’s trial of contact tracing app11/05/2020 09:15:00
An ICO spokesperson said: “We are reviewing the Data Protection Impact Assessment for NHSX’s pilot of its contact tracing app in the Isle of Wight.”
Blog: Information Commissioner sets out new priorities for UK data protection during COVID-19 and beyond06/05/2020 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 05 May 2020.
COVID-19 contact tracing: data protection expectations on app development05/05/2020 09:10:00
Information Commissioner Elizabeth Denham and Executive Director of Technology and Innovation Simon McDougall appeared before the Human Rights Joint Committee yesterday (4 May 2020).
Statement in response to details about an NHSX contact tracing app to help deal with the COVID-19 pandemic27/04/2020 09:10:00
Statement given recently (24 April 2020) in response to details about an NHSX contact tracing app to help deal with the COVID-19 pandemic.
Blog: Combatting COVID-19 through data: some considerations for privacy20/04/2020 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 17 April 2020.
Blog: Video conferencing: what to watch out for17/04/2020 09:10:00
The COVID-19 crisis is changing the way we live our lives. Keeping our distance means many of us are working from home for the first time and adapting to new ways of doing our jobs.
How we will regulate during coronavirus16/04/2020 09:10:00
The ICO yesterday published a document setting out our regulatory approach during the coronavirus pandemic.
ICO statement on investigating coronavirus scams09/04/2020 09:10:00
ICO are supporting businesses eager to stay in touch with customers during the Covid-19 pandemic.
Winner of the ICO’s Practitioner Award for Excellence in Data Protection 2020 announced07/04/2020 12:25:00
Recognising the increasingly vital role played by data protection professionals, the third ICO Practitioner Award for Excellence in Data Protection is awarded to Barry Moult, Information Governance and Privacy Consultant, and former Head of Information Governance at an NHS Trust.