The Information Commissioner's Office recent audit of data protection at Brent Council resulted in a 'Limited Assurance' grade - the second lowest.
The report LINK Executive Summary states:
The report LINK Executive Summary states:
There is a limited level of assurance that processes and precedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the Data Protection Act.Among the areas for improvements are (bold is my emphasis):
At present the[Council] have not implemented any endpoint controls which would restrict the import and export of data using portable devices resulting in the risk that an individual could download personal information without authorisation or potentially introduce malware into the council's network.There is an Appendix attached to the report showing that although Islington and Barnet Councils achieved the higher 'Reasonable Assurance' grade (second out of four grades) other councils also achieved the Limited Assurance. An Action Plan is tabled LINK and the ICO will conduct a desktop check within 6 to 9 months.
There is currently no formally establised programmes of data protection security or information security related refresher training in place, with the last training of this nature being delivered via e-learning in 2012. Staff who commenced employment at the council prior to the last refresher course in 2012 may not have had data protection or information securioty refresher training for a significant period of time.
[The Council] reported a 64% subject access compliance rate during 2014. This increased to 78.6% during January - May 2015, and are targeting 80% during 2015 and 95% for 2016. The ICO belives this latter target is more appropriate and (The Council] should also ensure that they prioritise requests which are in danger of falling outside the statutory 40 calendar day period.
[The Council] have aimed to raise awareness of data sharing through a combination of methods which include e-learning and use of the intranet. Despite this, awarness of specific data sharing policies and / or guidance amongst operational staff was low, with interviews unable to make reference to specific polices.
There are inconsistencies in the use and completion of the Data Sharing Agreement (DSA) template and no specific provisions within the DSAs viewed as part of the audit to distinguish between fact and opinion within shared data. In addition not all the DSAs and supporting procedural documentation specify retention periods for shared data or prescribe that the recipients of shared data must destory or return that data once the relevant purpose is served or any relevant retention period expires.