Anglesey County Council has been warned to improve its data protection practices by the Information Commissioner's Office (ICO), who said the council has ‘repeatedly failed’ to address security and privacy issues.
The ICO has issued the council with an enforcement notice to improve the protection of personal data, saying it had not seen improvements following two separate incidents back in 2011.
‘It is not acceptable for an organisation to disregard the findings of audits or to fail to deliver promised improvements,’ said Anne Jones, assistant commissioner for Wales. ‘Anglesey Council has not provided sufficient evidence to show it has implemented our recommendations to the standards we would expect.
‘Put simply, the ICO lacks confidence in Anglesey County Council’s commitment to having the measures in place that are needed to keep people’s personal data secure. This enforcement notice puts an additional legal requirement on them to do so.’
Under the enforcement notice, the council must give all staff mandatory data protection, maintain a records management policy and ensure appropriate controls are in place when staff leave the organisation.
A statement from the council said: 'Following an initial data protection audit from the Information Commissioner’s Office in 2013, the county council embarked on a project to deliver an action plan agreed with the ICO.
More than 100 recommendations were implemented in the space of 12 months; with a follow-up audit by the ICO in 2014 showing a significant improvement in compliance.
Another 66 further recommendations were agreed in light of the re-audit in 2014 and to date the council has completed 22 actions. The council is surprised to receive the enforcement notice at this time and stage in its improvement.
However, the council is currently considering the actions referred to in the enforcement notice and will continue to cooperate with the ICO to implement the work-plan.'