Edinburgh Council under fire from ICO for not appointing a CISO or training all its staff on information security

Only 3,000 of the council's 18,000 workforce had completed mandatory training, and there was no overarching information security policy in place

Edinburgh Council needs to improve its data security practices immediately, after the Information Commissioner's Office (ICO) had a number of concerns following an audit of its operations.

Earlier this year, the council suffered a data breach that exposed 13,000 people's email addresses, but this was after the council had already agreed - back in January 2014 - to a consensual audit of its processing of personal data by the ICO Good Practice Department.

The audit took place earlier this year, and the ICO's overall conclusion was that there is a limited level of assurance that processes and procedures are in place and delivering data protection compliance.

"The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the Data Protection Act," the ICO's audit report reads.

The ICO did acknowledge that there were some areas of good practice such as the use of Iron Mountain to generate monthly reports to identify files that had not been returned and raise concerns with the relevant service. It said that the use of the AXLR8 electronic case management system to generate automatic email reminders for subject access information deadlines was also good practice as it mitigated the risk of failure to comply with the statutory 40 calendar day period.

However, there were several areas of improvement the local authority needed to make. The ICO said that there was no information security manager or overarching information security policy - both of which go against the local public services data handling guidelines.

"Information Asset Owners (IAOs) are not currently embedded at CEC and the corporate Information Asset Register (IAR) is in the nascent stages of development," the ICO claimed.

It said that only about 3,000 of Edinburgh Council's 18,000 workforce had completed the mandatory information governance foundation e-learning at the time of its visit.

The ICO also noted that no documented targets had been set for subject access compliance across the council, and that there was no record of its rationale for "applying exemptions or withholding third party data in response to subject access requests".

The ICO did not state how long the council has to get its data protection practices up to scratch.

Last week, the ICO revealed how Anglesey County Council repeatedly ignored its calls to improve its data protection practices. The ICO has given the council just three months to get itself in order.