How can you keep council data safe?

  • High standards of information governance are a crucial consideration for local authorities when outsourcing services to third-party providers
  • Firms hoping to win contracts will need to provide evidence to show how they can keep sensitive data safe
  • We discuss the key characteristics of good information governance

Local authorities have always been responsible for huge volumes of data about their service users, much of it of a personal or sensitive nature.

Taking appropriate measures to improve information governance will not just help businesses to win local authority work, it will also help them to function more effectively”
Matthew Hillyer, Strategic Risk Consultant, Zurich Municipal

In recent years, however, with increased outsourcing of public sector services, local authorities have begun to share more and more of this data with third parties, increasing the risk of data loss.

Only the health sector experiences more data security incidents than local government, according to the Information Commissioner’s Office (ICO).

The top causes of data security incidents include:

  • Data being emailed/posted to the wrong recipient
  • Paperwork being lost or stolen
  • Loss/theft of unencrypted devices (e.g. memory sticks)

Matthew Hillyer, Strategic Risk Consultant, Zurich Municipal, says: “Information governance is a high risk area for local authorities and is something that’s always on their radar.”

What local authorities will expect from suppliers

In order to reduce the risk of data loss, local authorities may ask companies tendering for work to meet pre-defined minimum standards of information governance, which generally fall into two key areas.

Hillyer says: “The first area concerns the physical measures that you have in place to protect data. For example, how do you control visitor access to areas of your premises where sensitive data may be held?

“Do your information security policies allow employees to print copies of confidential documents? Do you ensure that devices such as memory sticks are encrypted, and how regularly do you update your antivirus software?

“The second part of the equation is people. Local authorities will expect you to have good information policies that are easy to understand and adhere to.

“They will probably look for evidence of regular and relevant training of staff, and evidence that you raise awareness of new and emerging risks.”

How to achieve good information governance

Meeting these minimum standards may require significant investments of time and resources for some companies, for example upgrading IT systems, improving site security, or investing in staff training.

Hillyer says: “Although there are cost implications, any organisation that has high value information should be putting these measures in place to protect it.”

Contracts agreed with local authorities may prohibit businesses from sharing certain categories of data with third parties.

Hillyer says: “Where you are allowed to share information with another organisation, you should exercise due diligence.”

Questions to consider include:

  • Have you seen the other party’s information security policy and are you satisfied that it is sufficiently robust?
  • Does the organisation hold any certification surrounding information standards?
  • Is there evidence of any data protection training for management or staff?
  • Will it be necessary to conduct a site audit to see how securely their data is kept?

Data security: understanding the consequences

While the ICO may impose fines or other sanctions on organisations that fail to protect personal data, the biggest risk to businesses is arguably damage to their reputation.

Hillyer says: “If there is a breach involving local authority data, it’s likely to be sensitive information that’s lost, and it’s probably going to make headlines.

“You are going to struggle to win work with the public sector if there is clear evidence that you have poor standards of information governance.”

The increased willingness of local authorities to consider new ways of working, including outsourcing of services, presents significant opportunities for businesses that can demonstrate they are not only leading the way in their field, but also taking data security seriously.

And, adds Hillyer: “Taking appropriate measures to improve information governance will not just help businesses to win local authority work, it will also help them to function more effectively.”