The Information Commissioner’s Office is charged with enforcing the UK’s Data Protection Act. It has two primary weapons at its disposal: fines and enforcement notices. In this case, the accompanying enforcement notice places a legal requirement on Powys to improve its data protection practices, and that all staff must be trained in how to follow council guidance by March 2012 – with refresher training every three years.
Iron Mountain’s Christian Toon believes that such incidents are usually “the result of carelessness and lack of thought rather than any malicious intention. Having said that, the public has the right to expect that information about them is handled with care at all times.” The answer is improved practices and improved staff training. He also believes that refresher training courses should be more frequent. “Refresher training should take place annually at least, and be backed up with a solid awareness programme.”
The ICO is currently asking the Ministry of Justice for the power to audit local councils’ data protection compliance on demand.