Information Governance for Local Authorities
Local Authorities are facing unprecedented challenges at the present time, not least in terms of financial cuts. However, there are key issues for the Local Government sector as well in relation to information assurance.
- Loss of unencrypted portable media with personal data
- FOI including poor records management
- Unlawful access to personal information via blagging
- Disposal of old IT equipment such as desk top and lap top computers
- Being involved in major losses in the last year.
Many LAs have been fined by the Information Commissioner for data breaches since the new powers to fine were available. The Deputy Information Commissioner David Smith is reported recently as saying that whilst the NHS has had many data losses, they have received one fine only so far. The difference seems to be that the NHS has a mandated IG framework with standards that is generally well implemented; the organisations have documented evidence that staff have received training. When there is a data loss it is clear that staff members are acting out with expected standards for which they have received training. The individual is therefore disciplined by the organisation; the ICO is able to deduce that no further action is required.
In respect of LAs, there may not be an IG framework with standards in place, and there may have been inadequate efforts by the organisation to train staff members-in this situation, if there is a data breach, the organisation is more likely to be fined. However, there is now some help at hand with the new, voluntary, Information Governance Toolkit for Local Authorities. Click here for more details
This is an early, incomplete version. The idea is to build it up over the next months. Please note that the Local Authority requirement list is in development and was included on the IG Toolkit website as part of ongoing work with a Local Authority working group. The intention is to develop additional requirements to complete the Local Authority requirement list during the lifetime of version 10 with Local Authority working group assistance. It is not complete or intended to be used in isolation.
This is also described in the “Organisation types” document available from the “Help” link: “This is a voluntary, developmental set of requirements for Local authority organisations. The requirements will be furthered developed during the lifetime of version 10 with the assistance of a Local Authority working group.”
This is based on the Connecting for Health Toolkit, amended for Local Authorities and starting off with seven suggested requirements. Using the Toolkit is voluntary for LAs, but would start to help to create a structured Information Governance Framework. It covers the establishment of an IG framework; formal contractual arrangements that include compliance with IG requirements; IG training for all staff, and requirements for confidentiality and data protection as well as a formal information security risk assessment programme, with a Senior Information Risk Owner.
Cost of an Information Loss: Source-Price Waterhouse Coopers Survey 2012
For small organisations, the total cost of the worst incident on average was £15,000-£30,000. For larger organisations it was £110,000-£250,000.
How we can help
We have a variety of products and services for Local Authorities.
There are a range of sources to assist Local Authorities in this area: