The new General Data Protection Regulation (GDPR) is due to come into force from May 2018.
The data protction regulator the ICO’s Good Practice department conducted a survey at the end of last year to find out more about information governance practices in local government. It received 173 responses. Although there is good practice out there, many councils have work to do, according to the ICO (Information Commissioner’s Office). Adhering to good practice measures under the Data Protection Act (DPA) will stand organisations in good stead for the new regulations, the regulator says.
For example, although most councils carry out privacy impact assessments (PIAs), 34 per cent, a third, of councils still do not. That will need to change, says the regulator. GDPR makes it a legal requirement for councils to conduct data protection impact assessments, in certain circumstances. A quarter of councils reported that they don’t have a data protection officer. Under GDPR the role of data protection officer is required in public authorities.
Although the majority of councils told the ICO that they provide mandatory data protection training for staff processing personal data, the regulator found it concerning that 18pc of councils did not.
Anulka Clarke, ICO Head of Good Practice, said: “It’s important councils remember to train temporary staff and provide annual refresher training for all staff. All the guidance on our website can be used for training, including our dedicated training resource area.”
For more details visit the ICO website.
Comment
Marc Agnew, Vice President, ViaSat Europe, said: “The ICO survey revealed that 37pc of councils have no data sharing policy, which is a major concern as the public sector handles by far the largest amounts of sensitive data, meaning the opportunities for a breach are greatly increased. With the upcoming GDPR, the government needs to do more to meet their obligations to securely handle personal information and councils need to ensure that they are providing effective education to staff. The ICO can only do so much when it comes to providing guidance and subsequently fining offenders; organisations need to start taking data protection seriously and protect the often very sensitive data they hold.
“As more than 15pc of councils don’t have data protection training for employees processing personal data, councils need to look at the training workers are given, and ensure they not only know how to reduce the risk of a successful attack, but also how to react. This includes assessing the security technology in use; from firewalls to anti-virus to encryption being used, but also the actual data (by both the organisation and also individuals using these services), so that any data that is stolen is essentially worthless.”
