DATA protection and information security remain priorities for Herefordshire Council despite past warnings over practice.
This week, the council’s audit and corporate governance committee will be told that staff face “disciplinary proceedings” where relevant data protection training has not been completed.
The present situation means no data protection concern is seen as too minor to be reported.
Some suspected breaches were committed by agency staff and needed an “alternative method” of ensuring compliance.
The committee will also be told of the council’s apparent “lack of focus” over fraud.
New internal audit provider South West Audit Practice has been given responsibility for a range of fraud initiatives related to detection and prevention.
Fraud and governance audits have been completed for members and staff expenses.
There has been an on-going drive to get all staff to complete mandatory training to a December deadline.
The committee will be told that a final report is awaited to identify those who have not completed and face disciplinary proceedings.
Alternative methods of ensuring compliance in a “number of cases” where exceptions have been requested are expected to be completed by March.
There have also been issues over getting non-disclosure and confidentiality agreements signed by staff, including interim appointments and agency assignments.
The committee will be told of further work required to identify those not signed up.
Data security has been a long running issue for the council.
Last year, as reported by the Hereford Times, the council’s former auditors KPMG gave the authority a “limited assurance” grading on information protection despite a similar, previous, warning over its systems from the Information Commissioner’s Office (ICO).
But audits have recognised the quality of work done by the council’s information team towards improving data management.
Latest figures – for the municipal year ending April 2013 – show 64 potential data protection breaches reported to the council's information governance team for investigation.
Two breaches were substantiated as serious enough to go to the Information Commissioner with one adjudication coming back as needing no further action.
The council is still waiting on a second adjudication.
Other reports break down to:
2 - information left in public
18 - inappropriate disclosure
24 - information sent to the wrong address
2 - information incorrectly recorded
4 - information left on printer
3 - lost device
4 - inappropriate access
3 - data lost in transit
1- inappropriate storage of data
3 - other.
Bill Norman, the council’s assistant director (Governance), said the “vast majority” of reported concerns were situations where people’s data was kept safe but correct procedures were not followed.
“We encourage our staff to raise even minor concerns with the information governance team this allows us to investigate and improve our procedures. All data breaches are unacceptable and the council rightly has a focus of continuous improvement around data security,” he said.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here