Survey on information governance reveals that many are failing to follow guide practice in approach to General Data Protection Regulation
Many local authorities are falling short on their responsibilities for data protection, according to the results of a survey carried out by the Information Commissioner’s Office (ICO).
It has published its findings, warning that many are not well prepared for the implementation of the General Data Protection Regulation next year, although an early adherence to the good practice measures under the existing Data Protection Act (DPA) would be a positive step.
Anulka Clarke, the ICO’s audit group manager for the telecommunications sector, said that 173 councils had responded to a survey sent out by the organisation’s good practice department at the end of last year. Its overarching conclusion was that there are examples of good practice but also significant shortcomings.
A quarter of councils said they did not have a data protection officer – a requirement of the GDPR – and 18% had no data protection training for employees who process personal data. In addition, 34% did not carry out privacy impact assessments, another necessity under the GDPR.
Although 93% had a data protection and information security policy, 37% did not have one for data sharing, despite it becoming a key element of some services. The ICO emphasised the role of its data sharing guidance in supporting a policy.
Other disappointing results were that:
- Just 17% of councils had a complete information asset register.
- 34% were yet to appoint information asset owners.
- 31% did not have a corporate information governance group.
- 27% did not consider data protection training reports and key performance indicators.
- 14% did not have an information security incident management policy.
“Councils still need to be complying with the DPA in the run up to the implementation of GDPR,” Clarke said. “Adhering to good practice measures under DPA will stand organisations in good stead for the new regulations.”