Blog: Information Governance Survey: What councils need to do now

Gigacycle > Information & Guidance  > Blog: Information Governance Survey: What councils need to do now

Blog: Information Governance Survey: What councils need to do now

20 March 2017

We’re here to help local councils comply with the Data Protection Act and get ready for the new General Data Protection Regulation

The ICO’s Good Practice department conducted a survey at the end of last year to find out more about information governance practices in local government. It received 173 responses. We already knew from our work with councils that there are some positive measures in place at local authorities but wanted to find out more about patterns of existing practices.

The overarching conclusion from our analysis of the survey results was that, although there is good practice out there, with GDPR coming in May 2018, many councils have work to do. Adhering to good practice measures under the Data Protection Act (DPA) will stand organisations in good stead for the new regulations.

The stand-out findings from our survey are highlighted in the infographic below.

The links in this blog will direct councils to some of the key areas they need to consider in their GDPR preparations. And, as always, we will continue to be on hand with practical advice on how to improve.

Adopt a privacy by design approach

Our survey results found that although most councils carry out privacy impact assessments (PIAs), 34% of councils still do not. That will need to change. GDPR makes it a legal requirement for councils to conduct data protection impact assessments

Councils will benefit from producing their own PIA process and accompanying guidance to ensure privacy issues are considered as part of projects.

When it comes to other important policies, it was good to see that 93% of councils have a data protection and information security policy. But 37% of councils have no data sharing policy, despite increasing data sharing requirements to provide certain services. Our data sharing guidance

Councils should make sure all their data protection policies are reviewed annually.

Have the right staff in place

A quarter of councils told us they don’t have a data protection officer. Under GDPR the role of data protection officer

It is good practice for councils to appoint a Senior Information Risk Owner (SIRO) to help manage information risk, so we’re pleased to see that 90% have created this role.

Local councils hold a lot of personal data across a wide range of services. Establishing an Information Asset Register (IAR) will help ensure a council knows what information it holds, where it is and which Information Asset Owner (IAO) is responsible for it. Yet our survey showed just 17% of councils has a complete IAR and 34% have yet to appoint IAOs.

The Local Public Services Data Handling Guidelines

As well as keeping track of the information held, it’s also important for councils to consistently monitor and benchmark their levels of compliance in order to facilitate continual improvement. This should be achieved through compliance reports and key performance indicators (KPIs) considered by a Corporate Information Governance Group (CIGG). Our survey found –31% of councils do not have a CIGG and 27% do not consider data protection training reports and KPIs.

Do council staff know what they need to know?

It’s vital all staff keep data protection in mind – staff not knowing what they need to about data protection is behind many of the information security incidents our enforcement team sees in the local government sector.

Although the majority of councils told us they provide mandatory data protection training for staff processing personal data, we found it concerning that 18% of councils did not.

It’s important councils remember to train temporary staff and provide annual refresher training for all staff. All the guidance on our website can be used for training, including our dedicated training resource area

In the wake of an information security incident, swift reporting, containment and recovery of the situation is vital. Every effort should be taken to minimise the potential impact on affected individuals. As such, it’s a good idea to have a proper incident management process. Yet our survey showed 14% of councils do not have an Information Security Incident Management Policy and 22% do not consider reports and KPIs for information security breaches.

The guidance highlighted in this blog is just a selection of help available from the ICO. Councils still need to be complying with the DPA in the run up to the implementation of GDPR. Adhering to good practice measures under DPA will stand organisations in good stead for the new regulations. We’ll be updating the dedicated GDPR section of our website

Thanks to all those who took part in the survey. You can view the full results of the survey here

Anulka Clarke joined the ICO in June 2004. Since 2015 Anulka has worked as an Audit Group Manager with responsibility for the Telecommunications sector, working with Data Protection, Privacy and Electronic Communications and Investigatory Powers legislation.

Go to Source

No Comments

Sorry, the comment form is closed at this time.