A SINGLE data protection breach could cost Herefordshire Council a fine of up to £200,000 imposed by the Information Commissioner’s Office (ICO).
The breach, in the People’s Services directorate, is so sensitive that to reveal its details also risks breaching the data protection act.
Cabinet has already been warned that the £100,000 original allowed for to cover any fine may have to be doubled. The case is currently in the hands of the council’s legal team.
Eighty data protection incidents have been logged by the council since June last year. Two audits of the council’s data protection practice say that the system offers only “limited assurance”.
But the audits do recognise the quality of work performed by the new information governance team (IGT) towards improving data management, particularly in People’s Services.
One audit was carried out by KPMG, the other by the council’s own internal audit process. Both reports returned a “limited assurance” rating.
As a result, the council was recommended to carry out personal data audits across its service areas as soon as possible.
Around 80 of the 120 team units identified have now undergone an information inventory.
An initial information asset register has been prepared ready to map to service functions, information asset owners and administrators by September 2013 for training to start in December.
This register will include the systems where the data is stored and will share reference with a similar register being compiled by Hoople.
The council’s audit and corporate governance committee will tomorrow (Friday) hear that of the 80 data protection incidents logged since June last year, three were self-reported by the council to the ICO and another three open incidents are likely to be self-reported.
Members will be told that the ICO finds the level of reporting “encouraging” a reflecting well on the “high visibility” of the IGT.
Teams identified as priorities for specialist training are adult social care, public health, and child social care.
Among other initiatives are: • A review of available restrictions to prevent users from downloading personal and sensitive information from “unauthorised” sources such as personal home computers and hand held devices.
• A new IT access control policy which requires managers to review access permissions to the information they are responsible for every six months.
Talks are also underway with Hoople to determine a reliable approach across the nine other agencies it works with as suppliers.
The ICO can exercise statutory powers to enforce compliance with the Data Protection Act 1998, impose fines of up to £500,000 for breaches of the act, or prosecute individuals for offences under the act.