Anglesey County Council repeatedly ignored ICO calls to improve data protection

ICO gives Welsh council three months to get its data protection practices up to scratch

Anglesey County Council has repeatedly ignored calls from the Information Commissioner's Office (ICO) to improve its data protection.

The ICO said that two separate security incidents, dating back to 2011, led to the council signing undertakings to make changes and improve practices. However, despite that commitment, audit visits in July 2013 and October 2014 still unearthed problems with the way that the council secured personal data.

"The commissioner is satisfied that the council has contravened the seventh data protection principle, in that it has failed to take appropriate security measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data," the ICO claimed in its enforcement notice.

Now, the ICO has given the council notice that it must get its act together within three months - or incur further action from the data protection watchdog.

The actions that the council is asked to adhere to include:

• Ensuring that data protection key-performance indicators and measures are monitored and acted upon;
• Introducing a mandatory data-protection training programme for all staff, as well as a refresher training course every year;
• Ensuring that information is backed up to the external server on a daily basis; and,
• Testing back-ups periodically to ensure that they have not degraded and that information is recoverable.

The council will also have to ensure that physical access rights are revoked promptly when staff leave and periodically reviewed to ensure that appropriate controls are in place. It will also have to address the lack of adequate storage solutions for manual records, as well as enforcing a clear-desk policy.

The council has a right to appeal the decision taken by the ICO.