The Courier & Advertiser (Perth and Perthshire Edition)
Study reveals council broke data protection laws nearly 100 times
INFORMATION: Local authority committed nearly 100 breaches in the last year
“The DPO is confident that a reasonable degree of compliance has been achieved and that progress towards increased compliance across all services will continue. DONALD HENDERSON
Perth and Kinross Council broke strict data protection laws nearly 100 times in the last year.
A new study has revealed an increase in the number of GDPR (General Data Protection Regulation) failures by the local authority.
The 96 breaches – up from 89 the previous year – are mostly made up of email errors and unauthorised disclosures of personal documents.
There have also been a handful of cases where data has been lost, and when staff have been given access to private information.
The majority of all breaches were in the education and children’s services department.
Almost all of the cases recorded between April 2019 and March this year were investigated in-house by the council’s data protection officer, however four were reported to Scotland’s information commissioner.
One of these cases was deemed so serious that the commissioner’s office called for a procedural change among all staff. No details are given of the incident, but it is understood to relate to employees working from home.
In the 12-month period, the council has received 19 complaints, either from the commissioner’s office or directly from the people who were the subject of the breach.
In the past, the council has accidentally sent a school report to the wrong parents, mistakenly given six staff access to personal information and left private data in a public place.
In a report to councillors this week, Data Protection Officer (DPO) Donald Henderson notes: “It would appear that employees across the organisation understand breaches caused by unauthorised disclosure and the DPO is confident that all significant data breaches of this type were reported during the year.
“The DPO is aware, however, that the other types of data breach are less well understood and will continue to provide advice and guidance about breaches and breach reporting.”
He added: “While, like all other local authorities and organisations undertaking a similar range of functions and volume of activities, the council is not fully compliant with data protection legislation, the DPO is confident that a reasonable degree of compliance has been achieved and that progress towards increased compliance across all services will continue.”