'Clear room for improvement' for data protection in local authorities, finds ICO

No councils get high assurance rating for data protection in Information Commissioner's Office audit report

There's "clear room for improvement" in how local authorities comply with the Data Protection Act, the Information Commissioner's Office (ICO) has said.

The ICO made the statement as it launched its report detailing audits of 16 local councils made last year, which saw none of the authorities involved given a high assurance rating when it comes to matters concerning data protection.

Of the 16 councils audited, six were told they had "considerable room for improvement" while one was advised it needed to take "immediate action". The ICO hasn't divulged what ratings it gave to which councils.

The report includes a list of areas for improvement identified by the audits, notably improving training and ensuring effective data protection governance is in place. Good practice surrounding information security is also advised.

In total, the ICO has issued financial penalties totalling £2.3m to local authorities for data breaches and data protection issues. However, despite earlier this year describing Wolverhampton Council's approach to data protection as "startling", the ICO issued a warning instead of a fine.

"It's clear that there's room for improvement, and not just by the local authorities we visited: the areas for improvement we identified in those visits should prove helpful to many local authorities," said John-Pierre Lamb, ICO group manager in the good practice team.

"By learning from the mistakes of others, and indeed learning from the examples of good practice we found, local authorities will improve their compliance with the law, and be less likely to find the regulator knocking on their door," he continued, adding that the ICO understands authorities have budget constraints, but they must still ensure they comply with data protection.

"Our figures show that local authorities have much to do to improve data protection governance and training," said Lamb.

"We recognise that councils are having ‘to do more with less' due to ongoing budgetary pressures, but it is important to appreciate that the lack of effective governance structures and training programmes significantly increases the risk of serious breaches of the DPA," he said.