Shropshire Council

Data protection audit report

Following an audit by the Information Commissioner’s Office (ICO) in September 2010, we were assessed as offering a reasonable level of assurance in our ability to meet our obligations to protect people’s personal information. The audit followed an invitation from us to the ICO to review our compliance with the Data Protection Act 1998 (DPA). We'd experienced two incidents involving data security lapses, which we'd reported to the ICO. As a result, we pledged to consistently improve our handling of sensitive and personal data, to include:

  • Mandatory information management training rolled out to all “information owners”
  • Encryption of laptops and data sticks to prevent unauthorised access to data
  • A review of processes for checking criminal records of staff and volunteers, and improvements to data security in relation to these
  • Full risk assessments across all services, with improvement plans to ensure good information management, monitored through a strengthened Information Governance Group

These and other actions demonstrate the seriousness with which we take our data protection responsibilities. Further, through the audit process, we wished both to seek assurance about the effectiveness of our processes, and to learn to improve further our management of potential risks.

The ICO conducted a follow-up audit review in July 2012 and we were assessed as offering a high level of assurance.

We continue to ensure that best practice is adopted, maintained and refreshed in all areas of our activities, to support further the embedding of DPA principles in the way we work.