Councils, government and health service under scrutiny by the ICO as GDPR draws closer

Local and central government, health and police services have been highlighted for data protection breaches and complaints regarding Freedom of Information requests in the Information Commissioner's Office (ICO) annual report.

Public sector organisations have been highlighted in the ICO's latest report
Public sector organisations have been highlighted in the ICO's latest report

The report, which covers the period 2016/17, names local government as the sector which generated the highest percentage of complaints regarding FoI requests, with 39 per cent of all complaints sent to the ICO referring to councils across the country.

Also see: GDPR is coming and it could be a disaster for organisations that are unprepared

Central government is the sector with the second-highest number of FoI complaints, at 17 per cent, followed by the police and criminal justice sector at 14 per cent.

All three sectors were in the top three regarding FoI complaints the previous year, the report shows, with councils generating 40 per cent of all complaints, central government on 17 per cent and police and criminal justice on 16 per cent.

Commenting on the findings, a Government spokesperson told PRWeek: "All Government departments are committed to complying with their obligations under the Freedom of Information Act 2000."

In the year 2016/17, the ICO said it handled nearly 5,500 complaints regarding the handling of FoI requests, an increase of nearly 5 per cent on the previous year.

Of these, the ICO said it took action in 27 per cent of all cases, while a further 25 per cent were "informally resolved", with the majority of the remainder of complaints either ineligible or made too early.

Other sectors highlighted regarding FoI handling, include health, with 12 per cent of all complaints, and education, with 8 per cent.

The ICO’s report also ranked self-reported breaches of data protection legislation, by sector, with health services topping the rankings.

The health sector informed the ICO of 41 breaches of data protection law in 2016/17, although the report explained that this was due to its "mandatory reporting policy".

In second place, with 11 self-reported incidents, were local authorities, with the education sector in fourth and the police criminal records service in seventh.

Responding to the report, Nicola Growcott, communications manager at the National Police Chiefs' Council said: "Transparency and answering legitimate questions is hugely important in policing communications.  Police forces strive to answer FOI requests fully and in good time while protecting sensitive information that could damage operations if released."

She continued: "Across policing 56,000 requests are dealt with every year but some of those are rejected because they would be excess cost or for data protection reasons.   Complaints to the ICO are actually helpful in giving oversight on decisions on complex issues and clarifying points of law - the outcomes of those complaints shape future responses."

Next May, legislation called the General Data Protection Regulation (GDPR) will come into force - covering the whole of Europe, including the UK.

Under the new legislation, fines for data breaches will substantially increase from the current £500,000 maximum that the ICO can impose, up to €20m or four per cent of the organisation’s global gross revenue.

Any public-facing organisation that processes large amounts of personal data will be required to appoint a trained data protection officer to oversee their work by the time GDPR comes into force.

But a survey of local authorities by the ICO, earlier this year, found that many are woefully unprepared for the introduction of GDPR, with a quarter of councils admitting to the regulator that they do not have a data protection officer, while 15 per cent said they had not carried out data protection training for all employees who process data.

Worryingly, 7 per cent of local authorities surveyed by the ICO said they did not have data protection policy in place, while 17 per cent said they did not have a FoI policy.

Commenting on the findings of the ICO’s annual report, the Local Government Association said councils took both data protection and cyber security "very seriously".

An LGA spokesperson said: "The fact that local government has provided the second-highest number of self-reported incidents in 2016/17 shows that they are not complacent and are alert to the problem.

The LGA said it was working with councils via its ‘Local Government Stakeholder Cyber Security Group’ to raise awareness of the issues and develop resilience.

The LGA spokesperson continued: "With less than 12 months remaining until GDPR comes into force, the LGA is working with councils and expert partners to develop training aids, knowledge sharing and support strategies…as councils and fire authorities make the necessary changes to procedures and organisational structures to support the new data management requirements."

Click here to subscribe to the FREE public sector bulletin to receive dedicated public sector news, features and comment straight to your inbox.

If you wish to submit a news, comment, case study or analysis idea for the new public sector bulletin, please email

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in