UK Information Commissioner slaps enforcement notice on West Dunbartonshire Council for not having proper data protection training

May 1, 2016 |

One of the biggest challenges in privacy and data protection is having staff who use the data being properly trained and applying that training properly.  Having complex and comprehensive cyber security counts for very little if employees are fooled into giving away passwords or handle data poorly.

The UK council of West Dunbartonshire was audited by the UK Information Commissioner’s Office and advised to improve training in January 2013.  In a follow up audit in November 2013 it was chided for not implementing all the recommendations.  As is the way of things there was a data breach in 2014 ,due to, yes, inadequate training.  As a consequence the Council has received an enforcement notice.

The media release provides:

A Scottish council has been rapped by the regulator for repeatedly failing to train staff around data protection.

West Dunbartonshire Council were told to implement training on several occasions, as well as being advised to put in place a policy around home working. But their failure to do so ultimately contributed to a data breach that led to a child’s medical reports being stolen.

The Information Commissioner’s Office carried out an audit of the council in January 2013. The audit gave a reasonable assurance of the council’s compliance with the law, but made recommendations for areas that needed improvement, including training for all staff and adopting a home working procedure. A follow-up audit in November 2013 showed progress, but showed some of the recommendations still had not been implemented.

In July 2014, the council reported a data breach to the ICO, after an employee had a bag containing confidential information stolen. The employee had taken details of an adoption case out of the office to work on from home, but a laptop and paperwork left in their car overnight were stolen.

An ICO investigation found the employee had not been given training on the Data Protection Act, and the council still had no guidance to staff on handling personal information when working from home. The council avoided a fine as the breach did not cause substantial damage or distress.

The council has now been issued with an enforcement notice obliging it to implement training and guidance, or face court action.

Ken Macdonald, Assistant Information Commissioner for Scotland, said:

“Time and time again we have told this council to make these changes, and yet they have still not completed everything we set out. We’ve been left with no choice but to issue this formal notice requiring them to act.

“Let’s be clear, what we’re asking for here is a basic requirement for an organisation that is trusted with large amounts of local people’s personal data. When people in Dunbartonshire provide the council with their details, they expect staff are trained to handle this information properly. Unfortunately, more than three years after this was made clear to the council, this still hasn’t happened.”

The enforcement notice is found here.

The direction given to the Council is found at paragraph 10 of the Notice which provides:

10. In view of the matters referred to above the Commissioner hereby gives notice that, in exercise of his powers under section 40 of the Act, he requires that West Dunbartonshire Council shall within 6 months of the date
of this Notice take steps to ensure that:
(1) There is a mandatory data protection training programme for all staff (including new starters) and refresher training on an annual basis;
(2) Completion of such training is properly documented and monitored to ensure training is completed within an appropriate timeframe;
(3) A home working policy is implemented to provide sufficient guidance for staff working remotely. A risk assessment should also be incorporated in the home working procedure to cover security of equipment.

One Response to “UK Information Commissioner slaps enforcement notice on West Dunbartonshire Council for not having proper data protection training”

  1. UK Information Commissioner slaps enforcement notice on West Dunbartonshire Council for not having proper data protection training | Australian Law Blogs

    […] UK Information Commissioner slaps enforcement notice on West Dunbartonshire Council for not having p… […]

Leave a Reply





Verified by MonsterInsights