The ICO (Information Commissioner’s Office) has ordered Anglesey County Council to improve its data protection practices after it repeatedly failed to address security and privacy issues.
The watchdog points to two separate security incidents as far back as 2011 that led to the council signing undertakings to make changes and improve practices. Despite that, the ICO says that audit visits in July 2013 and October 2014 still found unresolved problems with the security of personal data.
Anne Jones, Assistant Commissioner for Wales said: “It is not acceptable for an organisation to disregard the findings of audits or to fail to deliver promised improvements. Anglesey Council has not provided sufficient evidence to show it has implemented our recommendations to the standards we would expect. Put simply, the ICO lacks confidence in Anglesey County Council’s commitment to having the measures in place that are needed to keep people’s personal data secure. This enforcement notice puts an additional legal requirement on them to do so.”
The enforcement notice orders the council to put in place mandatory data protection training for all staff (including new starters, and refresher training), maintain a records management policy and ensure appropriate controls are in place when staff leave the organisation. The watchdog also wants and end to ‘lack of adequate storage solutions for manual records’, and calls for a ‘clear desk policy’.
The ICO points out that it is a breach of the seventh Data Protection Principle to fail to take appropriate security measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
