A council has been criticised for failing to ensure the security of sensitive information it shares with other organisations.
Lancashire County Council which routinely shares private information with bodies including schools, hospitals and tax authorities, was found to be failing to comply with its policies to ensure security.
An in-house audit report which is due to be debated by the audit and governance committee on Wednesday, said: “Where processes are already established they continue to be used by the officers who are aware of them but little action has been taken for some time to ensure that there is any general awareness of the need for information security, how to guard this effectively, how to recognise that security has been breached and what action to take if it has.”
The internal audit which reviews council activity throughout the year found correct practices were being followed for officers’ use of email and awarded it ‘substantial assurance’, the second highest level of effectiveness.
But ‘data sharing with partners’ has been joined by ‘incident and problem management’ with only limited assurance, the second lowest level of effectiveness, deemed to put objectives at risk.
The report said: “We have now also completed our work on data sharing with partners and can give only limited assurance over this area.
“The local arrangements employed by the service areas we tested are adequately designed to ensure that data is protected but the council’s overall corporate information-sharing arrangements are out of date, incomplete and not complied-with.” Meanwhile in June the Evening Post reported the County Council had also been given limited assurance over its children’s social care case referrals.
It found cases of vulnerable youngsters being allocated to social workers who had left their jobs and existing cases were not being reviewed when social workers left the council. A follow-up investigation found no cases had been allocated to former employees but a full review of the service was due to take place later in the year.
A spokesman for Lancashire County Council said: “As part of the county council’s everyday work, we need to share information with our partners. This could be face-to-face, over the telephone, by post or by encrypted email, depending on the circumstances.
“For example, if a child needs additional support in school, information could be shared with the parents, the school, the NHS and others. Or in a Trading Standards case, information could be shared with HM Revenue and Customs, police or district councils.
“The audit report did not identify any problems with local arrangements. And work is underway to ensure that information governance systems across the council are up to date and fit for purpose.
“Internal audit helps us to identify any issues and show us how we can improve. For instance, our children and young people’s directorate has worked hard to resolve issues that were raised by the internal audit service around social care case referrals.”