Following an audit by the Information Commissioner’s Office (ICO) during September 2010, the Council was assessed as offering a reasonable level of assurance in its ability to meet our obligations to protect people’s personal information.
The audit followed an invitation to the ICO from the council to review our compliance with the Data Protection Act 1998 (DPA). The council had experienced two incidents involving data security lapses, which it had reported to the ICO.
As a result, actions were taken by the council to consistently improve the handling of sensitive and personal data. These include:
- Mandatory information management training rolled out to all “Information Owners”
- Encryption of laptops and data sticks to prevent unauthorised access to data
- A review of processes for checking criminal records of staff and volunteers, and improvements to data security in relation to these
- Full risk assessments across all services, with improvement plans to ensure good information management, monitored through a strengthened Information Governance Group
These and other actions demonstrate the seriousness with which the council takes its data protection responsibilities. Further, through the audit process, the council wished both to seek assurance about the effectiveness of its processes, and to learn to improve further its management of potential risks.
The council continues to ensure that best practice is adopted, maintained and refreshed in all areas of our activities, to support further the embedding of DPA principles in the way we work.
The ICO conducted a follow-up Audit review in July 2012 and the council was assessed as offering a high level of assurance.