Northamptonshire County Council agreed to a consensual audit of its data protection practices with the Information Commissioner’s Officer in February 2015, which was undertaken during September 2015.
ICO audits help organisations in understanding and meeting data protection obligations. The audit includes recommendations from the ICO on how to improve.
This approach means that the Council benefits from data protection knowledge and experience of the ICO audit team, at no expense to the Council.
We asked the ICO to focus on areas of our data protection practice where we are focused on making improvements through our plans.
Of the three scope areas in which we were audited, the ICO found that the Council provided a “reasonable” level of assurance in data protection governance. It also found a “limited” level of assurance in training and awareness and records management. This resulted in a “limited” overall assurance rating.
Of 13 other Councils that were audited and had ICO summary reports published in the period from November 2014 to 30 November 2015, nine were assessed as ‘limited’, three as ‘reasonable’ and one as ‘high’.
The audit found that the Council has implemented a robust management framework for information management and records management, and praised our technical arrangements in records management and disaster recovery/business continuity plans.
We have already begun implementation of our plan to improve areas such as a requirement for policies, procedures and guidelines to follow an agreed format, styling and version control process; formally risk assessing information assets and reporting on those risks to the Senior Information Risk Owner; and creating a Training Needs Analysis.
The audit has provided a welcome opportunity to reflect on current practices and on-going work regarding information governance and to ensure that our plans are based on an expert independent view.