EDINBURGH City Council has been criticised by the Information Commissioner’s Office after an investigation into the way the country’s second-largest local authority deals with personal data.

In July, Edinburgh admitted that the email addresses and personal information of 13,000 people had been stolen by hackers.

No other information was lost in the attack and the council sent out an email to notify victims of the breach, confirming their email addresses were stolen in the incident.

The breach of the council’s data security was seen as a setback to plans announced throughout this year to transform its services to make them more accessible online.

Yesterday the Information Commissioner’s Office (ICO) revealed that a month before the hacking incident, it had found the council had no information security manager, and only one-sixth of its staff had completed a basic course of competence in data handling.

The most damning criticism of the council was that its lack of an information security manager or overarching information security policy was contrary to the local public services data handling guidelines.

The ICO went on to say: “Only 3,000 (approximately) of the 18,000 workforce had successfully completed the mandatory Information Governance Foundation elearning at the time of our visit.

“There is no documented target for subject access compliance across (the council). There is no record of the rationale for applying exemptions or withholding third-party data in response to subject access requests.”

The Information Commissioner’s Office is responsible for enforcing and promoting compliance with the Data Protection Act 1998.

Edinburgh council agreed on January 23, 2014, to a consensual audit of its processing of personal data by the ICO good practice department.

The audit investigated the processes in place for managing both manual and electronic records containing personal data.

In its audit published at the weekend, the ICO said: “There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance.

“The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA.

“We have made three limited assurance assessments in respect of each of records management, subject access requests and data sharing, where controls could be enhanced to address the issues which are summarised below.”

The council emphasised that the audit was undertaken in June this year on the understanding that it could only assess current practices at the time. The audit was unable to take into account already planned improvements.

A council spokesperson said: “The council agreed to a consensual audit by the Information Commissioner’s Office in order to review our current data-processing practices, aiming to identify and confirm the areas in which we think improvements could be made.

“The council accepts the Limited Assurance rating and recommendations the ICO good practice team included in their report as the basis for improvement going forward. A number of areas of good practice were also identified within the report."