EDINBURGH City Council has been criticised by the Information Commissioner’s Office after an investigation into the way the country’s second-largest local authority deals with personal data.
In July, Edinburgh admitted that the email addresses and personal information of 13,000 people had been stolen by hackers.
No other information was lost in the attack and the council sent out an email to notify victims of the breach, confirming their email addresses were stolen in the incident.
The breach of the council’s data security was seen as a setback to plans announced throughout this year to transform its services to make them more accessible online.
Yesterday the Information Commissioner’s Office (ICO) revealed that a month before the hacking incident, it had found the council had no information security manager, and only one-sixth of its staff had completed a basic course of competence in data handling.
The most damning criticism of the council was that its lack of an information security manager or overarching information security policy was contrary to the local public services data handling guidelines.
The ICO went on to say: “Only 3,000 (approximately) of the 18,000 workforce had successfully completed the mandatory Information Governance Foundation elearning at the time of our visit.
“There is no documented target for subject access compliance across (the council). There is no record of the rationale for applying exemptions or withholding third-party data in response to subject access requests.”
The Information Commissioner’s Office is responsible for enforcing and promoting compliance with the Data Protection Act 1998.
Edinburgh council agreed on January 23, 2014, to a consensual audit of its processing of personal data by the ICO good practice department.
The audit investigated the processes in place for managing both manual and electronic records containing personal data.
In its audit published at the weekend, the ICO said: “There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance.
“The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA.
“We have made three limited assurance assessments in respect of each of records management, subject access requests and data sharing, where controls could be enhanced to address the issues which are summarised below.”
The council emphasised that the audit was undertaken in June this year on the understanding that it could only assess current practices at the time. The audit was unable to take into account already planned improvements.
A council spokesperson said: “The council agreed to a consensual audit by the Information Commissioner’s Office in order to review our current data-processing practices, aiming to identify and confirm the areas in which we think improvements could be made.
“The council accepts the Limited Assurance rating and recommendations the ICO good practice team included in their report as the basis for improvement going forward. A number of areas of good practice were also identified within the report."
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here