A quarter of councils do not have a data protection officer, while a third are failing to complete privacy impact assessments, a new survey has revealed.
A survey by the Information Commissioner’s Officer (ICO) also found more than 15% of councils do not have data protection training for staff processing personal data.
It also showed that 37% of councils have no data sharing policy in place, with only 17% completing an Information Asset Register (IAR) to show what information they hold.
The ICO warned that many councils still have a lot of work to do in order to prepare for the new General Data Protection Regulation (GDPR) coming into force from May 2018.
Under the GDPR, councils will be legally required to conduct data protection impact assessments in certain circumstances and appoint a data protection officer.
In a new blog, Anulka Clarke, ICO head of good practice, outlined the key areas councils must consider in their GDPR preparations.
She wrote: ‘It’s vital all staff keep data protection in mind – staff not knowing what they need to about data protection is behind many of the information security incidents our enforcement team sees in the local government sector.’
She added: ‘In the wake of an information security incident, swift reporting, containment and recovery of the situation is vital. Every effort should be taken to minimise the potential impact on affected individuals. As such, it’s a good idea to have a proper incident management process.
‘Yet our survey showed 14% of councils do not have an Information Security Incident Management Policy and 22% do not consider reports and KPIs for information security breaches.’