Ombudsman gives ICO undertaking after details of complainants left in pub

The Local Government Ombudsman has given an undertaking to the Information Commissioner’s Office after a bag belonging to one of its investigators was stolen from a pub.

The bag contained an encrypted portable media device and hard copy papers relating to eight complaints made to the Ombudsman about planning applications.

“This included some sensitive personal information relating to one of the complainants,” the undertaking said.

The ICO’s investigation revealed that there was a specific business requirement for the case papers to be removed from the Ombudsman’s office environment. The LGO also had – at the time of the incident – a policy on the security of information whilst in transit.

But the watchdog’s investigation also found that general staff awareness of policies was “lacking due to the insufficient provision of training”.

The Ombudsman has now agreed to ensure that personal data are processed in accordance with the Seventh Data Protection Principle. In particular it has agreed that:

  • “Mandatory induction and annual refresher training in the requirements of the Act shall be provided to all staff whose role involves the routine processing of personal data.
  • Provision of such training shall be recorded and monitored with oversight provided at a senior level against agreed KPIs to ensure completion. In addition, the data controller shall implement follow-up procedures to ensure that staff who have not attended/completed training do so as soon as is practicable.
  • The data controller shall ensure that staff are aware of the content and location of its policies and procedures relating to the use of personal data. A mechanism to ensure that staff are updated of any changes to these policies and procedures should also be implemented.
  • The data controller shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.”

A spokesman for the Ombudsman said: “We acknowledge the ICO’s report and accept its findings.

"The LGO always encourages councils to learn from their mistakes and we have learned from ours. We have reviewed our procedures and training to ensure this sort of incident does not happen in future.” 

A copy of the undertaking, to be signed by the LGO’s operating officer Heather Lees, can be viewed here.