Local Government Lawyer Insight February 2018 LocalGovernmentLawyer 26 Recent fines by the Information Commissioner’s Office (ICO) on local authorities serve as a timely reminder of the obligations on public bodies to protect data, particularly with the significant legislative changes on the horizon. In June 2017 the ICO announced that it had fined Gloucester City Council £100,000 after a cyber-attacker accessed the sensitive personal information of council employees. The cyber-attack exploited a weakness in the council’s website which led to more than 30,000 emails containing financial and sensitive information about council staff being downloaded from council mailboxes. In May 2017 Basildon Borough Council was fined £150,000 by the ICO for publishing sensitive personal information about a family. The council breached the Data Protection Act when it published information about a family, which included data relating to disability requirements and the names, ages and location of family members in planning application documents which were publicly available online. The council has since confirmed it will appeal the ICO’s decision given its duties under planning legislation, which requires the publication of all information relating to a planning application. Meanwhile, towards the end of June 2017 up to 90 email accounts were allegedly compromised during the recent cyber-attack on Parliament, apparently as a result of weak passwords. While it was reported that fewer than 1% of the 9,000 users of its IT system were impacted by the hacking, the hack prompted officials to disable remote access to the emails of MPs, peers and their staff as a safeguard. The National Cyber Security Centre and National Crime Agency are investigating the incident to determine whether any data has been lost. Changing data protection law The results of a survey by the ICO published earlier this year on the ICO’s website also show that, while there is a lot of good practice out there, many local authorities still have a lot of work to do to prepare for the new General Data Protection (GDPR) which comes into force in May 2018. Introduced to keep pace with today’s digital economy, the new legislation makes sweeping changes to data protection requirements and sets high standards on the privacy of personal data, which means existing practices are unlikely to be adequate. It also imposes severe penalties for non-compliance – up to €20 m or 4% of annual global turnover, Kerry Benyon highlights some common data protection issues and provides some tips on how local authorities can ensure their policies and procedures are sufficiently robust. A cautionary tale for local government At Acuity Legal we collaborate with industry partners who specialise in cyber security and data monitoring to cover the three main aspects of the cyber security Venn diagram, which equally applies to data protection. This collaborative approach means organisations can firstly carry out a detailed risk assessment to ascertain what information is held and identify the risks of holding that information in terms of GDPR compliance. Our collaborative partners then help with implementing penetration testing and relevant information security certifications, followed by security monitoring of IT infrastructure as appropriate. www.acuitylegal.co.uk