Public concern about data security breaches has increased exponentially since 2006. High-profile cases such as the phone-hacking scandal, WikiLeaks, the data loss suffered by HM Revenue & Customs, and the emergence of various cyber threats have coalesced to make data security a key priority for local government leaders. The bottom line is that failing to keep personal data and other confidential information safe and secure can lead to serious reputational damage and even legal action.
In the UK, the Data Protection Act 1998 requires the controllers of personal data to keep this information safe, through the use of "appropriate technical and organisational measures". If a serious breach of security occurs the information commissioner, who is the statutory regulator, is likely to take action. This may take the form of penalties of up to £500,000.
The commissioner's power to issue penalties came into effect in April 2010 and so far Hertfordshire, Hounslow, Ealing and Surrey councils have all faced hefty fines of between £70,000 and £120,000.
In less serious cases, the commissioner can serve an enforcement notice or insist upon the signing of "undertakings", which bind the data controller to take steps to improve their security. Dozens of public sector organisations, including many local authorities, have faced these enforcement mechanisms in recent years.
Against this backdrop, it is essential that councils put in place proper measures to reduce the risk of security breaches, as well as safeguards to detect and deal with breaches if they occur. The measures adopted must be explained in detail, and staff should be trained on the issue.
In broad terms, proper measures for security will address technological, physical and people risks, as well as the managerial structures that are needed to encourage the right cultural behaviours within the organisation. Most councils should be able to easily address these issues with the help of a qualified data expert.
But what will prove more taxing is the design of new systems and operations for the detection and handling of incidents. Getting this wrong can aggravate a security breach to such an extent that the information commissioner is left with no alternative but to consider a fine.
Detecting incidents requires a mix of skills. Software controls can be used to detect the accidental sending of electronic data to the wrong people for instance, but discovering whether an employee has left a file of papers on the train or in the pub, is likely to rest on them owning up to the mistake. Would an employee want to own up if the culture of their organisation means they will face strong disciplinary measures for a first offence? Getting the balance right can be a difficult task, and often there are no easy answers.
Once an incident has been detected, the council needs to act properly to contain the problem, recover from it and reduce the risk of harm to itself and any third parties. In some circumstances the law expects an organisation to notify both the information commissioner and any other people affected by the breach, so that they can take measures to protect themselves.
At the moment local authorities are not subject to a statutory obligation to report data breaches in this way. However, the commissioner expects to be notified of serious incidents and has issued guidance to this effect. In 2008, the Cabinet Office issued equivalent guidance for government departments and agencies, making the point that it expected the wider public sector to adhere to the same practices.
To all intents and purposes local authorities are now working within a mandatory breach reporting regime. They cannot afford to get this wrong.
Stewart Room is a partner in Field Fisher Waterhouse LLP's privacy and information law group
This content is brought to you by Guardian Professional. Join the local government network for more like this direct to your inbox
