ICO lays down law to West Dunbartonshire following laptop theft and information loss
A Scottish council has been rapped by the Information Commissioner’s Office (ICO) for repeatedly failing to train staff around data protection.
West Dunbartonshire Council has been issued with an enforcement notice obliging it to implement training and guidance, or face court action, following the loss of sensitive information around an adoption case.
The council suffered a data breach in 2014 when a laptop and papers with a child's medical reports were stolen – after it had been told by the ICO on several occasions to implement training. It was also advised to put in place a policy around home working.
An ICO audit in January 2013 led to the first recommendations for training, and while a follow-up audit in November of that year showed progress, it also revealed that some of the measures had not been implemented.
The council had to report the data breach to the ICO in July 2014, after an employee had taken details of an adoption case to work on from home, then left a laptop in the car from which it was stolen.
An investigation found the employee had not been given training on the Data Protection Act, and the council still had no guidance to staff on handling personal information when working from home. The council avoided a fine as the breach did not cause substantial damage or distress.
Ken Macdonald, assistant information commissioner for Scotland, said: “Let’s be clear, what we’re asking for here is a basic requirement for an organisation that is trusted with large amounts of local people’s personal data.
“When people in Dunbartonshire provide the council with their details, they expect staff are trained to handle this information properly. Unfortunately, more than three years after this was made clear to the council, this still hasn’t happened.”