West Dunbartonshire Council. Follow-up data protection audit report

West Dunbartonshire Council Follow-up data protection audit report

Auditors: Lee Taylor (Audit Team Manager) Jonathan Kay (Engagement Lead Auditor) Data controller contacts: Michael Butler (Data Protection/Information Protection Officer) Date of first draft: 14 November 2013 The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of West Dunbartonshire Council. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO follow-up data protection audit report 2 of 30

Contents 1. Background (follow-up assessment) page 4 2. Follow-up audit opinion page 5 3. Summary of follow-up audit findings page 6 4. Follow-up audit grading page 7 5. Detailed follow-up audit findings page 8 ICO follow-up data protection audit report 3 of 30

1. Background 1.1 The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. 1.2 The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. 1.3 The original audit took place at West Dunbartonshire Council (WDC) premises between 15 and 17 January 2013 and covered Records Management, Security, and Data Sharing. The ICO s overall opinion was that there was Reasonable assurance that processes and procedures are in place and being adhered to. The ICO identified some scope for improvement in existing arrangements in order to achieve the objective of compliance with the DPA. 1.4 28 recommendations were made in the original audit report. WDC responded to these recommendations positively, agreeing to formally document procedures and implement further compliance measures. 1.5 The objective of a follow-up audit assessment is to provide the ICO with a level of assurance that the agreed audit recommendations have been appropriately implemented to mitigate the identified risks, support compliance with data protection legislation and implement good practice. 1.6 The ICO completed a desk based follow-up in November 2013 to measure of the extent to which West Dunbartonshire Council had implemented the agreed recommendations and identify any subsequent change to the level of assurance previously given. This was based on a management update from West Dunbartonshire Council signed off at Board Level. ICO follow-up data protection audit report 4 of 30

2. Follow-up audit opinion Overall conclusion Based on the implementation of the agreed recommendations made in the original audit report, the ICO considers that the arrangements now in place provide a reasonable assurance that processes and procedures to mitigate the risks of noncompliance with DPA are in place. Reasonable assurance The current position is summarised as 2 reasonable assurance and one high assurance assessments which shows an improvement from the original position of 2 reasonable, and 1 limited assurance assessments in March 2013. The detailed findings and action plan at section 5 of this report shows the current position with regard to the implementation of the agreed recommendations. The confirmed that 14 actions were complete, with 13 ongoing/partially complete. ICO follow-up data protection audit report 5 of 30

3. Summary of follow-up audit findings 3.1 Areas of good practice The Executive Director of Corporate Services has been identified as Senior Information Risk Officer IRO for WDC, and their responsibilities in respect of Records Management, Data Protection and Freedom of Information have been defined within WDC s Scheme of Delegation. The SIRO is supported by an IT strategy group made of staff from across relevant specialisms in WDC. Information security risks and mitigating actions are recorded on WDC s risk management system and are managed throughout the organisation in a structured way with oversight by the SIRO. A central record of data sharing has been created and is updated as necessary, and the Data Protection Officer has been identified as the responsible officer. Dedicated e-learning modules have been developed for both data protection and ICT security, and these are being rolled out to staff as part of a revised induction process. The Data Protection Officer has commenced site visits to review the implementation of a clear desk policy and reports the results to Heads of Service. Clear desk working formed part of the DPA and ICT security awareness session for staff moving to the new WDC office facility. 3.2 Areas for improvement Reconciliation of retention periods between manual records and the Saffron system has not yet been resolved due to interdependencies with other systems. Discussions with sections using Saffron have taken place, and work continues with the services and vendor to find a solution. Records Management performance measures and reporting mechanisms are being researched with discussions with West Lothian Council over to implement their performance framework, but there is no framework in place yet. However, records management is now being considered as part of Internal Audit work programme and the ICO follow-up data protection audit report 6 of 30

results are reported to the Records Management Officer and to the records management Working Group as appropriate. Solutions for the locking down of USB ports are being investigated, but locked ports have not yet been implemented and will be introduced as part of ICT modernisation project. ICO follow-up data protection audit report 7 of 30

4. Follow-up audit grading Follow-up audit reports are graded with an overall assurance opinion linked to the implementation of the agreed audit recommendations. The implementation or otherwise of the recommendations are classified individually to denote their relative importance, in accordance with the definitions in the table below. Internal audit opinion High assurance Reasonable assurance Limited assurance Very limited assurance Recommendation priority Minor points only are likely to be raised Low priority Medium priority High priority Definitions The arrangements for data protection compliance provide a high level of assurance that processes and procedures are in place and being adhered to and that the objective of data protection compliance will be achieved. No significant improvements are required. The arrangements for data protection compliance provide a reasonable assurance that processes and procedures are in place and being adhered to. The audit has identified some scope for improvement in existing arrangements and appropriate action has been agreed to enhance the likelihood that the objective of data protection compliance will be achieved. The arrangements for data protection compliance with regard to governance and controls provide only limited assurance that processes and procedures are in place and are being adhered to. The achievement of the objective of data protection compliance is therefore threatened. Actions to improve the adequacy and effectiveness of data protection governance and control has been agreed and timetabled. The arrangements for data protection compliance with regard to governance and controls provide very limited assurance that processes and procedures are in place and being adhered to. There is therefore a substantial risk that the objective of data protection compliance will not be achieved. Immediate action is required to improve the control environment. ICO follow-up data protection audit report 8 of 30

5. Detailed follow-up audit findings 5.1 Findings and recommendations from the previous audit have been risk categorised using the criteria defined in section 4. The rating takes into account the impact of the risk and the probability that the risk will occur in relation to the implementation of the agreed audit recommendations. For continuity and ease of reference, the findings and recommendations have been numbered in line with the original report and relevant action plan responses. 7.1 Scope A: Records management. The processes in place for managing both electronic and manual records containing personal data. This will include controls in place to monitor the creation, maintenance, storage, movement, retention and destruction of personal data records. a. In the absence of appropriate records management processes, there is a risk that records may not be processed in compliance with the DPA resulting in regulatory action by the ICO, reputational damage to the data controller and/or damage and A1. Recommendation: Finalise and approve the draft records management policy, which should clearly define roles and responsibilities at all levels of the Council together with how compliance will be monitored, and ensure this is communicated to all new and existing staff handling Council records. Supporting guidance should also be reviewed and updated to ensure it reflects any changes in policy and The draft Records Management Policy has been revised and will be implemented as part of the Records Management Plan, subject to approval by the Council s Corporate Management Team and the Keeper of the Records. The records management procedural guidelines will also be updated and communicated to all employees. In addition, a comprehensive training Partially Complete: WDC are obliged by the Public Records Act Scotland 2011 to prepare and implement a records management plan which it must agree with the Keeper of the Records of Scotland In parallel with this work a records management policy has been produced by the records management officer and approved by the head of ICO follow-up data protection audit report 9 of 30

distress to individuals. process. awareness programme will be introduced; Phase one will be delivered by the implementation date and will be continued thereafter until all staff who handle records have been trained. Training will be ongoing and appropriate records management handling awareness will also be incorporated into the staff induction process. service. It has now been passed to the SIRO and is awaiting final approval. Implementation Date: 30 September 2013 (subject to approval by Keeper of the Records) Responsibility: Records Management Officer. A5. Recommendation: Complete: Regularly review the records management function to establish what support and resources are required to help ensure that defined strategic, The Records Management function will be reviewed on a regular basis and will be a standing item on the agenda of the FoI/DPA Working Group. The The working group keep the records management function under review and have overseen such recent activity as a large scale (700+ boxes) ICO follow-up data protection audit report 10 of 30

operational and local roles and responsibilities can be met. The Council should also consider implementing a knowledge management strategy and succession planning to minimise the risk of losing specialist records management skills and knowledge in the event of corporate restructuring or the absence of key staff. A6. Recommendation: Working Group, through discussion on examples of best practice and information sharing, will ensure that skills transfer and knowledge sharing is imparted to departmental representatives on a regular basis. Implementation Date: 30 September 2013 Responsibility: Head of Legal, Democratic and Regulatory Services (LDRS) / Departmental Representatives. records scanning exercise. Partially Complete: Devise a records management strategy or plan setting out actions, owners and timescales to achieve Council objectives. Progress against agreed actions can be tracked and reported to the RMO and the Working Group to help ensure the corporate policy is being effectively The Council will conduct an Information Audit and the information gathered will be collated into a detailed plan which sets out actions, owners and timescales to achieve Council objectives. This detailed plan will be reviewed as part of the remit of a Initial actions and risks have been identified and have now been recorded on the Council s Covalent risk management system. ICO follow-up data protection audit report 11 of 30

implemented and the Council is meeting its statutory obligations. group of officers from Risk, Records Management, Data Protection and Information and Communication Technology (ICT) which will report to the SIRO where required. A8. Recommendation: Undertake an information survey or audit to identify what record types are held, what they contain, in what format, Implementation Date: Initial actions and risks identified from the ICO Audit will form the basis of the plan and will be drafted by May 2013. The target date for the Information Audit is 28 February 2014. Responsibility: Records Management Officer. A council wide information audit will be carried out and responses will be analysed to determine the requirements for a corporate inventory. Partially Complete: A questionnaire has been prepared to facilitate the information audit, which will commence in Corporate Services. ICO follow-up data protection audit report 12 of 30

and what value they hold for the Council. The survey will inform the creation of a corporate inventory, which should be routinely reviewed and updated. A comprehensive records inventory will improve corporate oversight by helping to locate and retrieve records on demand, identify and manage risks and apply disposal decisions. Implementation Date: 31 March 2014 Responsibility: Records Management Officer. A13. Recommendation: Finalise and approve a corporate-level Business Continuity Plan, which identifies record keeping systems critical to the continued function of the Council together with safeguards to help ensure the integrity and continued A Business Continuity Coordinator has been appointed who will be in post by May 2013. One of his priorities will be to oversee the review and update of the Council s Business Continuity Plan. This review will take into account the issues noted in the recommendation. Implementation Date: 24 Partially Complete: A council-wide business continuity plan is currently being redrafted by the Business Continuity Officer and will include a section on records management in line with recommendation. ICO follow-up data protection audit report 13 of 30

availability of records in the event of system failure or other business disruptions. Where resources permit, the plan should be periodically tested; for example, by routinely reviewing back-ups and archives to ensure the storage medium does not degrade and that data can be readily recovered. A17. Recommendation: December 2013 Responsibility: Manager of Audit and Risk. Partially Complete: Review the retention of personal data on the Saffron system and either ensure disposal decisions are routinely applied in line with documented retention guidelines or an exception is approved and authorised by senior management. Personal data within the Saffron system will be reviewed against the Council s data retention policy and legislative requirements and disposal will be applied where appropriate. The Council will consider the issues of any exceptions raised by Housing management. Implementation Date: September 2013 Meetings with the relevant sections that use Saffron have taken place. It has been identified that most modules have interdependencies and deletion of records could cause problems. On-going work with the services and vendor are taking place to find a solution. ICO follow-up data protection audit report 14 of 30

Responsibility: Homelessness & Allocations Manager Housing. A19. Recommendation: Partially Complete: Identify performance measures relating to the Council s records management objectives and risks, and implement reporting mechanisms to help monitor the effectiveness of the records management programme. For example, the application of disposal decisions in line with documented retention schedules, or records retrieval times. More information on monitoring and reporting is available from the Scottish Council on Archives, and in the section 61 FOISA code of practice. It is anticipated that the proposed information audit will provide the Council with the appropriate data in relation to retention and deletion schedules. This will be the basis for identifying performance in relation to risk and management objectives. The Council will adopt guidance for the Scottish Council on Archives and FOISA code of practice to inform our performance and monitoring measures. Implementation Date: 31 March 2014 Responsibility: Records Management Officer. The Records Management Officer will meet with staff from West Lothian Council to discuss their performance framework with view to implementing it in WDC. ICO follow-up data protection audit report 15 of 30

A20. Recommendation: Complete: Ensure that the results of any records management reviews carried out by Internal Audit are reported to the RMO to help assure the effectiveness of records management controls and processes. Where records management is considered as part of an audit assignment, the results will be reported to the RMO, and where appropriate the Working Group. Implementation Date: March 2013 This is a standard part of the audit process and reported back to the group where necessary. Responsibility: Manager of Audit and Risk. ICO follow-up data protection audit report 16 of 30

7.1 Scope B: Security. The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. Without robust controls to ensure that personal data records, both B1. Recommendation: WDC should adopt an information security strategy WDC will establish a group comprising representatives from Partially Complete: WDC has established a group to create an information manual and that puts in place a formal IT Risk, Records Management, Data security strategy. The group is electronic, are held governance framework, and Protection and Information and also acting as a forum for securely in Communication Technology (ICT) issues and has met on 3 provides for integrated compliance with initially to create a policy/strategy occasions so far. b. the DPA, there is a communication and document and thereafter risk that they may management of information establish a regular forum to be lost or used inappropriately, resulting in regulatory action against, and/or reputational damage to, the organisation, and issues between responsible bodies and roles. discuss and act on any issues Implementation Date: 20 September 2013 Responsibility: Manager of Audit and Risk/Head of LDRS. ICO follow-up data protection audit report 17 of 30

damage and distress to individuals. B2. Recommendation: The Council should recognise within its scheme of delegation a Senior Information Risk Officer (SIRO) or equivalent role to strategically coordinate Information Risk and monitor and provide assurance on data protection and records management activity. This would sit most clearly with the Executive Director of Corporate Services. Formal definition would be consistent with Cabinet Office Information Assurance guidance and the results of the Scottish Government s Data Handling in Government review. The council will appoint a formal Senior Information Risk Owner (SIRO) as part of the scheme of delegation review. Implementation Date: 30 June 2013 Responsibility: Head of LDRS. Complete Executive Director of Corporate Services has been identified as SIRO for WDC. SIRO responsibilities in respect of Records Management, Data Protection and Freedom of Information are defined within revised Scheme of Delegation. B5. Recommendation: Partially Complete: Formally assign and map Information Asset Owners (IAO) who are responsible for managing information in their Information Assets Owners across all council departments will be identified and mapped. Reports will be provided to SIRO on a Eracent software will be used to capture data on information assets. Reports presented to Security Group by IAOs and ICO follow-up data protection audit report 18 of 30

area. IAOs should provide reports to the SIRO or equivalent role to help them gain assurance that information risks are managed in their respective areas. B7. Recommendation: Ensure that information risks are suitably defined and incorporated within the corporate risk management framework together with any mitigating controls. B8. Recommendation: regular basis. Implementation Date: 31 March 2014 Responsibility: Manager of ICT. Information risks will be defined and incorporated within the corporate risk management framework together with any mitigating controls. Implementation Date: 30 June 2013 Responsibility: Executive Director of Corporate Services (SIRO). minutes passed to SIRO for review. Complete: Information Risks and mitigation actions are now recorded on Covalent and are monitored by the SIRO. Complete: Establish metrics for reports on information risk areas to be reported to the SIRO or Corporate Services Committee Risk & Data Protection Officers to investigate reporting models used at other LAs and identify and recommend suitable reporting Reporting Models have now been discussed by the ICT Steering Group and a decision on the matrix has been passed ICO follow-up data protection audit report 19 of 30

from Covalent and relevant groups such as the ICT Steering Group. B16. Recommendation: Develop a specific procedure for the escalation and management of incidents involving personal data so that in the event of an incident damage to individuals and WDC is minimized, and lessons learned for the future even if it was not an ICT incident. metrics and structure for WDC to SIRO for decision. Implementation Date: 30 September 2013 Responsibility: Data Protection Officer. A specific procedure relating to escalation of incidents to the Head of LDRS, SIRO and Chief Executive will be developed and implemented. This will be incorporated into the data protection and information security policies. Implementation Date: 31 August 2013 Responsibility: Data Protection and Information Protection Officer / ICT Security Officer. to SIRO. Complete: Data Protection and Information Security Policies have been updated to include escalation procedure. ICO follow-up data protection audit report 20 of 30

B22. Recommendation: Complete: Create a training log using Brightwave or separately to provide a record of staff trained and their training level. This should be kept under review and will provide WDC with greater assurance as to the adequacy of baseline and specialist training. B27. Recommendation: Establish and maintain a central log of all third party processors used by the council. Data protection, information management and information security training will be delivered via the council s e-learning platform. This will include induction and refresher training. A central training log will be kept of all employees taking part. Implementation Date: 31 August 2013 Responsibility: Data Protection and Information Protection Officer. An exercise to establish a third party data processor list will be undertaken. This information will be incorporated into a single central log to ensure the appropriate checks and balances are made. e-leaning modules for both data protection and ICT security are now complete and will be rolled out to all staff on an on-going basis. This will be done as part of the revamped induction process. Complete: The Data Protection Officer now holds a central log of third party data processors. ICO follow-up data protection audit report 21 of 30

Implementation Date: 31 August 2013 Responsibility: Data Protection and Information Protection Officer. B30. Recommendation: Complete: Establish a single clear-desk policy to apply to all staff and departments which includes the steps expected by local staff and establishes monitoring by management or centrally by data protection/security staff. For example, the last remaining staff member might be required to carry out a floor walk and sign out at the end of the business day. The checks, together with any remedial actions identified, should be documented for audit and monitoring purposes. A single clear-desk policy will be established and recommendations will be made to middle and senior management to ensure that periodic checks are carried out. Additionally, the DPO will liaise with departmental representatives to carry out adhoc site visits to ensure adherence to the policy. Implementation Date: 30 September 2013 Responsibility: Data Protection and Information Protection Officer. All staff who moved to 4 th floor office of the future attended a DPA and ICT security awareness session and part of the session was dedicated to ensuring that a clean desk policy is adhered to. The Data Protection Officer has commenced site visits, and a report on Regulatory Services has been passed to the Head of Service for action. Guidance is being produced and circulated to all staff on issues relating to paperwork containing personal data being left on desks. ICO follow-up data protection audit report 22 of 30

B31. Recommendation: Partially Complete: Adopt a single Fax, Printer and MFD policy to apply to all departments defining good practice and promoting fax safety procedures, and mandating PIN use wherever possible. Printing and MFD policy to be created, use of pin numbers made mandatory on MFDs, and ongoing program in place to set up fax facilities to automatically forward faxed documents via MFDs to a designated secure mailbox account will continue. Implementation Date: August 2013 Responsibility: IT Connect Section Head - ICT. The SIRO has agreed that the use of PIN numbers be made mandatory across council MFDs. ICT looking into forced locking of MFDs (current software allows user to turn off PIN lock). Currently, all MFDs are setup to only use locked printing and staff are being told only to use this facility. To enforce locked printing will have financial and technical implications which are being evaluated at present by ICT, DPO and ICT Security officers. B36. Recommendation: Complete: Create a log all USB sticks issued by departments, detailing the asset and the staff member issued to. The Council will create a log for all new purchases and this will be started with immediate effect. Implementation Date: 31 A log of USB sticks has been created and is updated as required. ICO follow-up data protection audit report 23 of 30

March 2013 Responsibility: IT Connect Section Head ICT. B47. Recommendation: Partially Complete: Implement an endpoint control system as soon as possible to help protect against unauthorised use of unencrypted memory sticks and, removable media, and drives. The lock down of USB ports on all devices is to be incorporated in the ICT Modernisation Project which is due for completion in June 2014. However, ICT will also investigate the feasibility and cost effectiveness of interim solutions. Locked down USB ports will be introduced as part of ICT modernisation project, and the feasibility of solutions is being investigated. Implementation Date: Interim solutions investigated by 30 September 2013. Modernisation project lockdown by 30 June 2014 Responsibility: IT Connect / Infrastructure Section Heads ICT. ICO follow-up data protection audit report 24 of 30

B48. Recommendation: Partially Complete: Adopt a formal Home Working Procedure as soon as possible to manage existing home workers and provide assurance for the wider roll-out of home working as anticipated in ICT refresh plans. The Risk Assessment should also reflect IT Security and DPA training alongside H&S training. The development of a home working policy will be part of the Council s project to introduce New Ways of Working (NWW) for all employees and will include procedures to manage flexible, mobile, and home working. A pilot project for NWW is scheduled to commence in August 2013. Implementation Date: August 2013 (as part of pilot project and wider implementation following pilot evaluation). Responsibility: Head of People and Transformation. As part of its Workplace of the Future programme and current pilot project, the Council is developing a framework to support the introduction of new flexible and mobile work styles which will incorporate guidance for managers and staff on working in differing locations (including working at home). Development of this guidance is underway and will be tested and refined through the pilot workspace project. The framework will ensure that information security is taken into account. Development of this framework is targeted to complete by 31st October. ICO follow-up data protection audit report 25 of 30

B56. Recommendation: Complete: Consider aggregating information from system dashboards and reports to provide the SIRO or ICT Security officer with a snapshot report on system security. ICT Security Officer to be notified of all future security alerts/incidents. Implementation Date: April 2013 Responsibility: Infrastructure Section Head - ICT. The ICT Security Officer has access to relevant system reports as required. ICO follow-up data protection audit report 26 of 30

(October 2013) 7.1 Scope C: Data Sharing The failure to C1. Recommendation: design and operate appropriate data sharing controls is Approve and implement a corporate data sharing policy likely to contravene (or incorporate this within a the principles of data protection or information the Data Protection security policy) setting out c. Act 1998, which may result in regulatory action, reputational damage to the organisation and damage or distress for those individuals who are the subject of the data. management direction and support for sharing, including how policy compliance will be monitored. The policy should be communicated to all staff likely to make decisions about sharing. WDC will approve and implement data sharing requirements which will be incorporated into the council s data protection, information security and records management policies. The policies will be made available to all staff via the council intranet and additional communication will be made to the relevant staff involved in data sharing. Implementation Date: 30 September 2013 Responsibility: Head of LDRS/Manager of ICT. Complete: Council Solicitors include data protection requirements into existing or new contracts. Relevant policies have been updated as required and relevant staff advised to contact Legal and DPO for advice when data sharing is required complete. C4. Recommendation: Finalise and approve the new draft of the Practitioner s Guide for Single Shared Assessments and Care Management, and ensure that the new version is The Information Sharing Protocol between NHS GG&C and other Local Authorities within the partnership is currently being finalised and is awaiting sign-off. Complete: The Information Sharing Protocol has been approved, added to the guidance and rolled out to staff. ICO follow-up data protection audit report 27 of 30

(October 2013) shared with all relevant staff. Once approved, this will be added to the guidance and then rolled out to all relevant staff. Implementation Date: 31 May 2013 Responsibility: Director of Community Health and Care Partnership. C9. Recommendation: Partially Complete: Implement a documented procedure mandating PIAs for all new (or changes to existing) sharing arrangements. The process should require business areas to engage with the DPO, and a central record of all assessments should be maintained for audit and monitoring purposes. Advice and training will be sought from the Scottish office of the ICO and thereafter a PIA procedure will be implemented council wide. A central record will be maintained of all assessments. Implementation Date: 31 March 2014 Responsibility: Executive Directors/Head of LDRS. Discussions have taken place with Maureen Falconer of the Scottish office of the ICO who has agreed to deliver PIA training to relevant council staff. Dates will be confirmed once suitable staff have been identified. C13. Recommendation: Complete: ICO follow-up data protection audit report 28 of 30

(October 2013) Create and maintain a central record of data sharing agreements to ensure these are all accounted for. In addition, day-to-day responsibility for maintaining the central record and providing assurances that all agreements are approved, up-to-date and meet legal and good practice standards is allocated to a nominated person or group (for example, the DPO). A central record will be created and maintained. The DPO will take responsibility for monitoring on a day-to day basis. Implementation Date: 30 September 2013 Responsibility: Data Protection Officer. A data sharing central record has been created and is being updated as necessary. The data protection officer has been identified as the responsible officer. C15. Recommendation: Undertake periodic compliance checks to ensure disposal decisions are routinely applied to shared data sets in line with documented retention guidelines; or, an exception is approved and authorised by senior management. All departments will follow data retention policy and data cleanse where appropriate to ensure compliance with Principle 5. Implementation Date: September 2013 Responsibility: Corporate Management Team/SIRO/DPO. Partially complete: Departmental representatives are now aware of relevant retention periods, and there are on-going discussions regarding data retention and disposal. In addition, this is being highlighted at training sessions. ICO follow-up data protection audit report 29 of 30

5.2 Any queries regarding this report should be directed to, Jonathan Kay Lead Auditor. 5.3 Thanks are given to Michael Butler, the West Dunbartonshire Council Data Protection / Information Protection Officer, who was instrumental in providing the information to complete the follow-up audit. ICO follow-up data protection audit report 30 of 30