Extra, extra,
read all about it!

Some top tips for public bodies on protecting data

Recent fines by the Information Commissioner’s Office (ICO) on local authorities serve as a timely reminder of the obligations on public bodies to protect data, particularly with the significant legislative changes on the horizon.

The ICO fined Gloucester City Council £100,000 after a cyber attacker accessed the sensitive personal information of council employees. The attack exploited the ‘Heartbleed’ software flaw and vulnerabilities in the council’s website security.

Meanwhile, Basildon Borough Council was fined £150,000 by the ICO for publishing sensitive personal information about a family. The council breached the Data Protection Act when it published the information in planning application documents which were publicly available online.

The results of a survey by the ICO published earlier this year also show that, while there is a lot of good practice out there, many councils still have a lot of work to do to prepare for the new General Data Protection (GDPR) which comes into force in May 2018.

Introduced to keep pace with today’s digital economy, the new legislation makes sweeping changes to data protection requirements and sets high standards on the privacy of personal data, which means existing practices are unlikely to be adequate. It also imposes severe penalties for non-compliance – up to €20 million or 4% of annual global turnover, whichever is greater. This far exceeds the current maximum of £500,000.

In order to avoid the financial and reputational risks of non-compliance, here are some of the key areas that councils should consider in their GDPR preparations:

  • The role of data protection officer is required under GDPR
  • Implement data protection training for staff and refresher training at least every two years
  • Ensure that data protection and information security policies, as well as data sharing policies, are in place and reviewed annually
  • Complete an information asset register to determine what information they hold, where it is and which information asset owner is responsible for it
  • Conduct privacy impact assessments in certain circumstances
  • Establish a proper incident management process for information security breaches

Councils should also consistently monitor and benchmark their levels of compliance through compliance reports and key performance indicators.

Having the right staff and procedures in place will be key to ensuring councils do not put personal information at risk and break data protection law. Speak to our data protection experts for help with complying with the new rules, starting with a thorough audit of data use, the identification of potential threats and implementing corrective actions.

If you have any questions regarding the above, please, contact Kerry Beynon. 


All the latest from Acuity

Here you will find all the latest news as it happens. If it’s news and it involves Acuity, one of our clients or our CSR activities this is the place to come.

Back to news