• Christine Mould
  • 14 October 2015

Data protection in Edinburgh

The City of Edinburgh Council (CEC) agreed on 23 January 2014 to a consensual audit of their processing of personal data by the Information Commissioners Office (ICO) Good Practice Department.

The ICO is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). 

Following pre-audit discussions with CEC, it was agreed that the audit would focus on the following areas:

  • Records management (manual and electronic)
  • Subject access requests
  • Data sharing

This audit found areas of good practice however also highlighted areas for improvement in the following areas:

  • There was no Information Security Manager or overarching Information Security Policy, contrary to the Local Public Services Data Handling Guidelines.
  • Information Asset Owners were not currently embedded at CEC and the corporate Information Asset Register is in the nascent stages of development.
  • Only 3,000 (approximately) of the 18,000 workforce had successfully completed the mandatory Information Governance Foundation e-learning at the time of the IOC’s visit.
  • There was no documented target for subject access compliance across CEC.
  • There was no record of the rationale for applying exemptions or withholding third party data in response to subject access requests.
  • The Covalent register of data sharing agreements did not have a dedicated field to record authorisation.

The general conclusion that the audit provided was there was a limited level of assurance that processes and procedures were in place and delivering data protection compliance. The audit identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA.