Edinburgh council ordered to improve data protection

City of Edinburgh Council (CEC) has received criticism from the Information Commissioner’s Office after a recent audit found a “limited level of assurance that processes and procedures are in place.”

The council agreed to a consensual audit by the ICO Good Practice Department back in January 2014, to monitor its processing of personal data.

It was agreed by both parties that the audit would include analysis of the council’s record management, subject access requests and data sharing.


Considerable scope for improvement

The resulting report concluded: “The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA (Data Protection Act).”

The auditors’ report commended several areas of practice on display, including monthly reports generated to identify files which have not been returned, and the submission of draft sharing agreements to the Information Governance Unit (IGU) and Legal Services for review before the Information Council (IC) provide sign off.

However, the ICO concluded that CEC must still make significant improvements to be compliant.


Key areas requiring improvement:

  • There is no Information Security Manager or overarching Information Security Policy, contrary to the Local Public Services Data Handling Guidelines.
  • Information Asset Owners (IAOs) are not currently embedded at CEC and the corporate Information Asset Register (IAR) is in the nascent stages of development.
  • Only 3,000 (approximately) of the 18,000 workforce had successfully completed the mandatory Information Governance Foundation e-learning at the time of our visit.
  • There is no documented target for subject access compliance across CEC.
  • There is no record of the rationale for applying exemptions or withholding third party data in response to subject access requests.
  • The Covalent register of data sharing agreements does not have a dedicated field to record authorisation.

The council is now tasked with meeting these areas of improvement, though the ICO has not yet given it a specific time scale for completion.

Related reading