As the Information Commissioner's Office (ICO) nears £2 million in issued monetary penalties, its head has admitted that there ‘is an underlying problem with data protection in local government'.
Reflecting on 2012 and two and a half years since it was given the power to issue monetary penalties, information commissioner Christopher Graham said that nineteen councils failing to have the most straightforward of procedures in place shows that ‘there is an underlying problem with data protection in local government'.
He said: “It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence.
“Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society.
“The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated.”
Graham said that it will be meeting with stakeholders from across the sector to discuss how the ICO can support them in addressing those problems.
Speaking to SC Magazine earlier this year, Graham said that one problem with local authorities, councils and government is that staff are dealing with personal information which is often sensitive; and that staff have to be made aware that they are dealing with people and not just numbers.
At the SC Magazine Total Security Conference in the summer, the ICO's principal policy adviser (technology) Dr Simon Rice, said that the 19 monetary penalties issued to businesses was ‘19 too many' and issuing finest was ‘not something that the office enjoys doing and it does not represent everything that we do'.
Also at the Gartner Security and Risk Management Summit, David Smith, deputy commissioner and director for data protection at the ICO, said that it was pressing for ‘power of custodial sentence', primarily for sentences that were 'punishing for not doing things properly'.
Asked if there was a timeline for custodial sentences to be introduced, Smith said there was not but said it was something the ICO had been pressing for a long time. “The government have resisted for several reasons, such as they do not believe in creating more and more crimes that can carry prison sentences, also Leveson is looking at this following the actions of journalists, so let's wait for his report,” he said.
The ICO also said that it is pressing the Ministry of Justice for stronger powers to audit local councils' data protection compliance, if necessary without consent. The same powers are sought for NHS bodies across the UK following a series of data protection breaches in the health sector.