West Dunbartonshire Council handed enforcement notice by ICO after failing to train staff on data protection

The council still doesn't have an adequate training process despite suffering a data breach in 2014

West Dunbartonshire Council has been handed an enforcement notice by the Information Commissioner's Office (ICO) after repeatedly failing to train its staff around data protection.

The ICO had carried out a consensual audit of the council in January 2013, which provided it with "reasonable assurance", a follow-up audit in November 2013 showed that progress had been made, but some of the recommendations in the January 2013 audit report had not been fully implemented by the council.

In June 2014, an employee left a laptop and paperwork about an adoption case in a car overnight, from which they were stolen.

The ICO said that the council had contravened the seventh data protection principle in that, as a data controller, it had failed to take appropriate organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Commissioner had to consider whether any contravention had caused or is likely to cause any person damage or distress.

In its notice the ICO said that the Commissioner "took the view that the likelihood of distress to the data controller's data subjects is self-evident".

The council now has to ensure that within six months it has: a mandatory data protection training programme for all staff (including new starters) and refresher training on an annual basis; properly documented and monitored such training to ensure it is completed within an appropriate time frame; and, a home-working policy implemented to provide sufficient guidance for staff working remotely.

It said that a risk assessment should also be included in home-working procedures to cover security of equipment.

The council has 28 days from the date of the enforcement notice to appeal.