Councils adopt IT policy

editorial image

A MAJOR new action plan is being drawn up in a bid to prevent any more embarrassing and potentially catastrophic losses of computer data by Wigan Council.

The 47-point strategy is a response to two local security breaches in the last two years, the first of which involved the theft of a laptop containing the personal details of more than 40,000 of the borough’s schoolchildren.

The second involved the loss of a memory stick containing “sensitive personal data” of more than 200 people.

While the Department for Work and Pensions took ultimate responsibility for this cock-up, a Wigan Council probe identified shortcomings in its own processes.

In both cases the information had not been encrypted. And in the wake of the March 2009 burglary - from Children and Young People’s Services HQ at Westwood Park - the Information Commissioner found the authority guilty of breaching the Data Protection Act.

The information on the children included names, dates of birth, postcodes, ethnicity and, where applicable, details of any special educational needs or eligibility for free school meals. There was also data on national curriculum tests.

Families were sent letters of reassurance from the council and there is no evidence that the information was ever accessed or abused.

But an extensive audit of Wigan Council’s data protection procedures, including information storage and encryption, management responsibilities and training.

The Office of the Information Commissioner is due to come back for a follow-up visit next month and will expect to have seen improvements’ being made.

A report to this week’s Standards Committee and Audit Governance and Improvement Review Committee, lists almost 50 recommendations to tighten up security.

They include:

Spot checks and routine monitoring of staff to test staff understanding of policies and procedures;

Improve the council’s assistant data protection officer’s training;

Carry out an audit identifying all corporate information assets containing personal data and document them in a register to include the location of the asset, owner, potential risks and controls;

Bring in a system of reporting incidents to the assistant DPO;

Implement compulsory data protection training for all staff handling personal data, including temps and student staff;

Make sure all remaining laptops are either encrypted or immediately locked out of the network;

Introduce a policy covering the safe disposal of confidential waste and manual records.

In many cases the measures have already been introduced.

The report reads: “The Council has a series of related policies in place to help maintain the security of the data it manages, Data Protection training has been provided for large numbers of staff...

“Despite this, due to the numbers of staff involved in processing personal data as part of their normal duties, and the ease with which information can now be transferred electronically, the siutation for the council remains high risk.”

The report says the recommendations should go a long way to reducing these risks.