Local governments hold a huge amount of information, including sensitive personal data. This data needs to be handled in a discreet manner in order to protect people’s identities, reputations and privacy, as well as keeping within legal requirements.
Regulations
- There are many regulations that define how information and data need to be handled and protected. In England, these include:
- The Data Protection Act 1998 (DPA)
- The common law duty of confidentiality
- The Social Care Record Guarantee for England
- The international information security standard: ISO/IEC 27002: 2005
- The Freedom of Information Act 2000
- The Human Rights Act article 8
- The Code of Practice for the Management of Confidential Information
Additional regulations cover Wales, Scotland and Northern Ireland. These regulations have been put in place to cover a variety of data types, from contact details to financial information and medical records – there are also a number of regulations that specifically relate to the NHS and social services and how they deal with information. Accessing the Public Services Network (PSN) – a nationwide network of public services data – also requires users to demonstrate a high level of data protection.
Compliance: what is required?
The various regulations have different requirements, but they all share the primary objectives of maintaining confidentiality, protecting data and keeping information secure. As part of this, organisations must be able to demonstrate how their management structures and responsibilities ensure compliance. In each case, a robust data framework should determine how data is collected and stored. It also needs to define how data is used and when it can be shared. This will help to ensure that personal information is processed legally, securely, efficiently and effectively.
Non-compliance
The consequences of non-compliance depend on which regulations have been violated. The DPA, for example, details a number of civil and criminal offences that a data controller may be liable for if they fail to gain appropriate consent from a data subject. Other offences under the DPA include:
- processing personal information without registration
- failing to comply with notification regulations
- obtaining unauthorised access to personal data Compliance with the DPA is regulated and enforced by the Information Commissioner’s Office.
This is an independent body that can impose monetary penalties for breaches.
Risk management software from JCAD
JCAD’s CORE risk management software is a flexible framework that can help local authorities – and other organisations in both the public and private sectors – to identify, monitor and mitigate risk. In addition, JCAD CORE can be used to help demonstrate compliance. The system makes it easy for users to monitor records, store documentation, view tasks and track what actions are taken to reduce risk and keep within regulations.