Lessons to be learned at Cambridgeshire County Council

The ICO, after its consensual audit at Cambridgeshire Country Council, expects that the council will improve its performance on responding to Subject Access Requests (SARs). At the moment, only 57% of requests receive a response within the statutory 40 calendar days. The ICO’s expectation is that organisations meet the deadline in 90% of cases.

The audit, conducted on 5 August, also revealed that there is no detailed guidance, documented processes or formal training available for the Information Governance Officers who handle requests. In general, the Council manages to train less than half of its workforce on information security.

Other areas of improvement identified were the need to start organising privacy impact assessments for data sharing arrangements, and develop formal procedures to routinely review the quality of personal information that is shared under existing Data Sharing Agreements.

On the other hand, the ICO says that the Council has guidance on its website for individuals on how to make a SAR, as well as in various leaflets provided to service users about how their information will be used.

The ICO has published an executive summary of the audit report which concludes that ‘there is limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DP Act.’

So far, the ICO has carried out another seven audits, follow-up or advisory visits to organisations during August. In July, there were 13 such visits.

See https://ico.org.uk/action-weve-taken/audits-advisory-visits-and-overview-reports/cambridgeshire-county-council/

The GDPR will introduce changes to SAR regime. PL&B organises a one-day seminar in Birmingham on 28 September called ‘EU Data Protection Regulation: Time to get organised in the UK or the Great Escape?’