A report from the council says 82 “information security incidents” were reported across the organisation between July 2011 and July 2012 – many of them down to human error – and four of them were deemed serious enough to report to the Information Commissioner’s Office (ICO).
“Whilst the Information Commissioner has closed one of these incidents, the council is still awaiting a decision on the remaining three incidents at the time of writing,” the 13th August report said.
It didn’t say what or whose information was involved.
The Information Commissioner has the power to issue fines of up to £500,000 to organisations who breach the principles of the 1998 Data Protection Act 1998, the report noted, adding that nearly two-thirds of the 21 fines issued so far have been issued to local authorities.
“Personal or business sensitive information”
An Information Governance strategy has been developed and a new two-year post created to implement the strategy and deliver training across the workforce.
Staff have already undertaken an awareness training programme, but “further training is required for staff processing personal or business sensitive information in high and medium risk areas to ensure good data handling is understood and carried out at all times”.
The ICO is likely to want to see evidence of the council implementing improved governance arrangements across the organisation, the report said.
“It is important that we can demonstrate that the council has undertaken positive proactive action to mitigate against the chances of similar information security incidents taking place again,” the report said.
Recruitment to the new post will initially be through the council’s “talent pool”. If that doesn’t work out, the job will be advertised internally.
Handing the job over to the council’s official training contractor QA was considered, but rejected on the grounds that it wouldn’t represent value for money compared to using an internal resource.