Showing posts with label Information Commissioner's Office. Show all posts
Showing posts with label Information Commissioner's Office. Show all posts

Tuesday 26 September 2017

Information Commissioner's Office calls on Brent Council to take measures to avoid future data protection breaches

Following the data breach by Brent Council when e-mail addresses of residents were sent to recipients of a message about a meeting acomplaint was made to the Information Commissioner's Office.

This is their response:

-->
You have contacted us to complain that Brent Council appears to have inappropriately disclosed your personal data.

Summary of case

In this case, your email address was cc’d into an email and disclosed to other individuals.

It would therefore appear that Brent Council has breached the Data Protection Act 1998 (DPA).

Role of the ICO

Our role is to ensure that organisations follow the Data Protection Act 1998 properly. If things go wrong we will provide advice and ask the organisation to try to put things right. Our overall aim is to improve the way organisations handle personal information.

Next steps

Although it appears that Brent Council has breached the DPA, it would seem that this is down to human error, and the ICO does not consider it necessary to take any further regulatory action at this stage.

However, we have contacted the council to advise them of our view. We have also asked that they take the following measures to ensure that similar breaches do not occur in the future:
  • To remind all staff to take extra due care and attention when sending emails by double checking addresses and only sending out relevant and appropriate information in future.
  • To use the bcc feature when sending emails to numerous individuals with external email domains, to ensure that email addresses are not disclosed to other parties.
  • To check that all staff have undertaken data protection training within the last 12 months.
  • Inform any other parties whose data may have been inappropriately disclosed in this case.

Although we do not intend to take any further regulatory action on this case, this will remain on our systems to help us build a picture of Brent Council’s information rights handling.

We will continue to monitor the council’s data protection practices, and should any regulatory action be taken against them in the future, your case may form a part of our intelligence against them. You can view any regulatory action we do take on our website, using the following link: https://ico.org.uk/action-weve-taken/

Thursday 24 December 2015

Only 'Limited Assurance' for Brent Council data protection in ICO Audit

The Information Commissioner's Office recent audit of data protection at  Brent Council resulted in a 'Limited Assurance' grade - the second lowest.

The report LINK Executive Summary states:
There is a limited level of assurance that processes and precedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the Data Protection Act.
Among the areas for improvements are (bold is my emphasis):
At present the[Council] have not implemented any endpoint controls which would restrict the import and export of data using portable devices resulting in the risk that an individual could download personal information without authorisation or potentially introduce malware into the council's network.

There is currently no formally establised programmes of data protection security or information security related refresher training in place, with the last training of this nature being delivered via e-learning in 2012. Staff who commenced employment at the council prior to the last refresher course in 2012 may not have had data protection or information securioty refresher training for a significant period of time.

[The Council] reported a 64% subject access compliance rate during 2014. This increased to 78.6% during January - May 2015, and are targeting 80% during 2015 and 95% for 2016. The ICO belives this latter target is more appropriate and (The Council] should also ensure that they prioritise requests which are in danger of falling outside the statutory 40 calendar day period.

[The Council] have aimed to raise awareness of data sharing through a combination of methods which include e-learning and use of the intranet. Despite this, awarness of specific data sharing policies and / or guidance amongst operational staff was low, with interviews unable to make reference to specific polices.

There are inconsistencies in the use and completion of the Data Sharing Agreement (DSA) template and no specific provisions within the DSAs viewed as part of the audit to distinguish between fact and opinion within shared data.  In addition not all the DSAs and supporting procedural documentation specify retention periods for shared data or prescribe that the recipients of shared data must destory or return that data once the relevant purpose is served or any relevant retention period expires.
There is an Appendix attached to the report showing that although Islington and Barnet Councils achieved the higher 'Reasonable Assurance' grade (second out of four grades) other councils also achieved the Limited Assurance.  An Action Plan is tabled LINK and the ICO will conduct a desktop check within 6 to 9 months.