ICO orders Welsh council to improve on data protection
- Data Protection
- 07.10.2015 01:00 am
The ICO has ordered Anglesey County Council to improve its data protection practices after it repeatedly failed to address security and privacy issues.
Two separate security incidents as far back as 2011 led to the council signing undertakings to make changes and improve practices. But despite committing to the improvements, audit visits in July 2013 and October 2014 still found unresolved problems with the security of personal data.
Anne Jones, Assistant Commissioner for Wales said:
"It is not acceptable for an organisation to disregard the findings of audits or to fail to deliver promised improvements. Anglesey Council has not provided sufficient evidence to show it has implemented our recommendations to the standards we would expect. “Put simply, the ICO lacks confidence in Anglesey County Council’s commitment to having the measures in place that are needed to keep people’s personal data secure. This enforcement notice puts an additional legal requirement on them to do so.”
The enforcement notice orders the council to put in place mandatory data protection training for all staff, maintain a records management policy and ensure appropriate controls are in place when staff leave the organisation.
It is a breach of the seventh Data Protection Principle to fail to take appropriate security measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.