Council hit with enforcement notice over data protection training failures

The Information Commissioner’s Office has issued a Scottish council with an enforcement notice over its failure to train staff in relation to data protection.

The ICO had carried out a consensual audit of West Dunbartonshire Council in January 2013. This audit provided “reasonable assurance” of the council’s compliance with the law, but made recommendations for areas that needed improvement, including training for all staff and adopting a home working procedure.

A follow-up audit carried out by the ICO in November 2013 showed progress had been made since the original assessment. However, it also showed that some of the recommendations in the January 2013 audit report had not been implemented.

In July 2014, West Dunbartonshire reported a data breach to the ICO, after an employee had a bag containing confidential information stolen. The employee had taken details of an adoption case out of the office to work on from home, but a laptop and paperwork left in their car overnight were stolen.

An ICO investigation found the employee had not been given training on the Data Protection Act, and the council still had no guidance to staff on handling personal information when working from home.

According to the ICO, the council avoided a fine as the breach did not cause substantial damage or distress.

A further investigation was carried out after the data breach and this has led to the issue of the enforcement notice, which can be viewed here.

The notice requires West Dunbartonshire to take steps within six months to ensure that:

1. There is a mandatory data protection training programme for all staff (including new starters) and refresher training on an annual basis;

2. Completion of such training is properly documented and monitored to ensure training is completed within an appropriate timeframe;

3. A home working policy is implemented to provide sufficient guidance for staff working remotely. A risk assessment should also be incorporated in the home working procedure to cover security of equipment.

Ken Macdonald, Assistant Information Commissioner for Scotland, said: “Time and time again we have told this council to make these changes, and yet they have still not completed everything we set out. We’ve been left with no choice but to issue this formal notice requiring them to act.

“Let’s be clear, what we’re asking for here is a basic requirement for an organisation that is trusted with large amounts of local people’s personal data. When people in Dunbartonshire provide the council with their details, they expect staff are trained to handle this information properly. Unfortunately, more than three years after this was made clear to the council, this still hasn’t happened.”