Almost a year ago the Information Commissioner‘s Office published their findings on how a selection of local authorities conducted their incident management and information risk. Now the ICO has updated their GDPR guidance for local government, in particular around breach reporting and DPOs.
Information sharing and data protection for local authorities
The ICO recommends that leaders and senior managers in local government pay particular attention to how they will manage risk, information and staff training. As well as:
- Ensure that the officer responsible for information governance and security is known to other members of staff and is aware of their duties.
- Ensure that there is a cabinet member in place who is the lead on Data Protection Act (and GDPR) compliance.
- Make sure that their local authority is registered with the ICO, as referenced in the Data Protection Act.
- Understand the policies around freedom of information, subject access and information sharing requests.
It’s also important to be aware of the local government’s policies around transparency and releasing information to the public, secretly to partners, or for keeping data secure.
Information security in local government
As touched upon above, effective information security training should be given to all members of staff. They should understand the importance of ensuring that only relevant information is to be sent to outside recipients and take steps to ensure that the information has been received.
Managing personal information checklist for local government
The Information Commissioner‘s Office has produced a list of questions that leaders and senior managers should ask themselves regarding personal information.
Do your employees know to only collect the personal information they need for a specific business purpose?
This is a reference to the purpose limitation principle in Article 5 of the GDPR where it states that “personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
Is the requirement to tell individuals about new or changed business purposes understood?
If the new or changed purpose for processing data is the same as the original one, there is no need to look for a new lawful basis, unless the original basis used was consent. When considering a new basis, you should ensure that it is in the public interest or is for scientific research and statistical purposes.
Is importance given to keeping information accurate and up to date?
Making sure contact details are up to date, as well as consent, can save time and money, reducing the number of letters sent to the wrong addresses and emails send to individuals not interested in your news or services.
Is personal information that is no longer required securely disposed of according to data retention rules?
The GDPR states that when collecting personal data, a time frame should be provided to indicate how long you plan to retain it.
Breach reporting tips for local government
The General Data Protection Regulation changes the requirements of reporting a breach to the Information Commissioner‘s Office. A breach must be reported within 72 hours of the organisation becoming aware of it. For local government to be able to fulfil this requirement, clear incident planning needs to be in place to start with.
So what should local government be asking themselves?
Know what a personal data breach is
Make sure that all staff in the government department are able to understand what a data breach is and can identify once. This is as much about work culture as it is a training opportunity. The leaders in an organisation should lead by example.
Make sure staff know what they need to do
Prepare a response plan for addressing any personal data breaches that arise and ensure that staff know who the responsible person is for reporting breaches to the ICO.
Have a framework for reporting breaches
Create processes for assessing if a breach is likely to cause a risk to individual’s rights and freedoms, notifying the ICO of a breach, and a plan for continuous improvement.
Training should be business-as-usual
Minimum pass marks should be set for the training of staff around GDPR and data protection. In certain circumstances, specialist information security training might be required. The GDPR suggests that training should be refresh annually.