An Enforcement Notice from the Information Commissioner’s Office (ICO) which followed an investigation into the Council’s compliance with the Data Protection Act 1998.
In July 2014, the Council self-referred to the ICO after Legal Services had been advised by HSCP that the car of one of their employees had been broken into and a document including personal data which was contained in a bag had been stolen from the boot of the car along with other personal items.
On 26th April 2016, the Council received an Enforcement Notice from the ICO which followed an investigation into the Council’s compliance with the Data Protection Act 1998, following a security breach within HSCP on 21st July 2014. The areas noted by the ICO were:
- There is a mandatory data protection training programme for all staff (including news starters) and refresher training on an annual basis;
- Completion of such training is properly documented and monitored to ensure training is completed within an appropriate timeframe;
A home working policy is implemented to provide sufficient guidance for staff working remotely. A risk assessment should also be incorporated in the home working procedure to cover security of equipment.
Since the data breach incident was reported in 2014, there have been numerous contacts between the Council and the ICO before the Enforcement Notice was issued in 2016. During this time period, the ICO has requested responses and supporting evidence to a large number of questions that it has posed to allow them to investigate the breach further.
When the Enforcement Notice was received by the Council, there was a 28 day appeal period contained within to allow the Council to consider its position but the ICO released a press statement within two days of the notice without asking the Council for a response.
Part of the Enforcement Notice stated that “there is a mandatory training programme for all staff. This is in contrast to Legal Service’s response at the time of the audit which was for a “needs based’ approach which is dependent on identifying the relevant staff that handle personal data as a large part of their job”. This approach is comparable to most other local authorities and is the preferred option rather than embarking on a tick box exercise.
The Council is currently considering its position in relation to the appeal process and as well as taking in-house legal advice. The Data Protection Officer is also talking to other Scottish Local Authorities with a view to ensuring that the Council’s position is comparable to peers within the public sector.
It is anticipated that procedures for handling personal information and ICT security when working remotely or flexibly will be incorporated into guidance that OD are currently developing.
It should be noted that the Enforcement Notice was issued instead of a monetary penalty which could have been imposed with a sum of £500,000 being the maximum penalty.
The Enforcement notice followed enquiries dating back to the initial data loss in July 2014, but also referred to follow up from the Consensual Audit of Data Protection compliance which the Council underwent in January 2013, and which resulted in a finding by the Information Commissioner of “reasonable assurance” which is seen as being a very good outcome, despite the terminology.
In the response to the initial recommendations from the ICO Audit, the Council was very specific that its delivery would be targeted at specific staff – ‘A needs based’ data protection, information management and information security training will be delivered via the Council’s e-learning platform. This will be included as part of the induction process and a central log will be kept of all employees taking part. Specific awareness training will also be delivered council wide as required”.
Following the original recommendations, Legal Services began a process of compulsory Data Protection and Security training for all new staff through the induction process, and also identified staff groups through selective and discussion with the relevant services.
Examining the correspondence from the Information Commissioner’s office, the first reference to an apparent expectation that the Council would be providing Mandatory Training for all staff came in an email in July 2015, where the case officer enquired:- Is your data protection training a mandatory requirement for all staff and is refresher training provided periodically?” The Council’s response was: “The initial aim has been to prioritise front facing staff who handle personal data as well as staff whose duties include handling high volumes of personal data.”
It is the belief that whilst the Council was undoubtedly at fault for the loss of the data, as the Council are responsible for the actions of its employees, the terms of the Press Release gave a materially false impression, in that it suggested that the Council have been repeatedly told over years that there was to be mandatory training for each employee of the Council and that the Council have failed to address that demand.
There will undoubtedly be resource implications associated with the proposed changes to delivery and uptake of training. These will be quantified once it is determined the frequency; however a universal approach will inevitably mean loss of productivity to services during attendance.
There are no financial implications from the ICO in relation to this data breach however; there will be costs incurred by loss of productivity as staff who are identified as handling personal data are provided with time to review the data protection training via the e-learning platform. This will increase substantially if all staff are required to be subjected to this training.
Notes:
The Council has delivered face to face data protection and ICT Security training to around 1200 staff. This has focused on staff who handle personal data as part of their role such as our teams within customer services, housing maintenance, education, legal and regulatory services.”