Almost a year ago the Information Commissioner‘s Office published their findings on how a selection of local authorities conducted their incident management and information risk. Now the ICO has updated their GDPR guidance for local government, in particular around breach reporting and DPOs.
The ICO recommends that leaders and senior managers in local government pay particular attention to how they will manage risk, information and staff training. As well as:
It’s also important to be aware of the local government’s policies around transparency and releasing information to the public, secretly to partners, or for keeping data secure.
As touched upon above, effective information security training should be given to all members of staff. They should understand the importance of ensuring that only relevant information is to be sent to outside recipients and take steps to ensure that the information has been received.
The Information Commissioner‘s Office has produced a list of questions that leaders and senior managers should ask themselves regarding personal information.
This is a reference to the purpose limitation principle in Article 5 of the GDPR where it states that “personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
If the new or changed purpose for processing data is the same as the original one, there is no need to look for a new lawful basis, unless the original basis used was consent. When considering a new basis, you should ensure that it is in the public interest or is for scientific research and statistical purposes.
Making sure contact details are up to date, as well as consent, can save time and money, reducing the number of letters sent to the wrong addresses and emails send to individuals not interested in your news or services.
The GDPR states that when collecting personal data, a time frame should be provided to indicate how long you plan to retain it.
The General Data Protection Regulation changes the requirements of reporting a breach to the Information Commissioner‘s Office. A breach must be reported within 72 hours of the organisation becoming aware of it. For local government to be able to fulfil this requirement, clear incident planning needs to be in place to start with.
So what should local government be asking themselves?
Make sure that all staff in the government department are able to understand what a data breach is and can identify once. This is as much about work culture as it is a training opportunity. The leaders in an organisation should lead by example.
Prepare a response plan for addressing any personal data breaches that arise and ensure that staff know who the responsible person is for reporting breaches to the ICO.
Create processes for assessing if a breach is likely to cause a risk to individual’s rights and freedoms, notifying the ICO of a breach, and a plan for continuous improvement.
Minimum pass marks should be set for the training of staff around GDPR and data protection. In certain circumstances, specialist information security training might be required. The GDPR suggests that training should be refresh annually.
A tailored hands-on session based on your needs and goals
