ICO slams Council's 'startling' data security policy, threatens court order
Information Commissioner issues enforcement order which if not upheld will result in court action
The Information Commissioner's Office (ICO) has criticised Wolverhampton Council's "startling" approach to data security.
It comes after the council was previously warned it must take better care of people's sensitive information following an ICO investigation into a data breach which occurred in January 2012.
A council worker, who had not received any sort of data protection training, sent out a report which contained sensitive information which should have been removed.
The breach occurred despite previous warnings from the ICO over a two-year period, including one which followed an audit in December 2011, just one month before the data breach. The ICO had recommended the council introduce a mandatory data protection policy which explained how data should be stored securely.
However, the policy wasn't introduced until March 2013 and the ICO has found that to date, more than two thirds of Wolverhampton Council staff still haven't undertaken mandatory data protection training.
But rather than punish the council with a fine, the ICO has instead chosen to issue an enforcement order which demands all remaining staff be trained in data protection in the next 50 days, otherwise the matter will be treated as contempt of court.
"The lack of urgency displayed by Wolverhampton City Council is startling," said ICO head of enforcement Stephen Eckersley.
"Over two years ago, we reviewed the council's practices and highlighted the need for guidance and mandatory training to help its staff keep residents' information secure.
"Despite numerous warnings the council has failed to act, with over two thirds of its staff still remaining untrained," he continued. "We have taken positive steps and acted before this situation is allowed to continue any longer and more people's personal information is lost."
Wolverhampton Council has issued a statement indicating that it accepts the findings of the ICO report.
"Over the past year, employees have been undertaking compulsory data protection training and we are on track to meet the ICO's deadline to complete this," it said.
"This is one of a number of significant measures we have put in place to improve the council's information governance service since the ICO's audit in 2011," the statement added.