Waltham Forest Council is grappling with an increase in data breach incidents, according to a recent report presented to the Audit and Governance Committee.

The report, which was reviewed at the 15 July 2025 meeting, revealed that 173 suspected data breach incidents were logged for investigation in the past 12 months. Of these, five met the criteria for mandatory reporting to the Information Commissioner's Office (ICO). Three of those incidents were third party incidents that arose from Cyber Security incidents where Waltham Forest records were not breached. One incident arose where a file retrieval issue occurred with the Council's offsite third party provider. One incident arose where a suspected incident occurred suspected to disclose personal information, but it could not be determined where the information may have been obtained from.

The report, detailed in the Audit Governance Committee Report Data Protection2025 new temp, also highlighted the council's ongoing efforts to develop and implement systems and processes to support data protection compliance.

The council is working to develop and implement additional systems and business processes to support cross-departmental continuity in areas such as procurement, ICT, and data protection.

Mandatory data protection and cyber security training continues to be provided to all staff. The Information Governance Board places emphasis on training compliance and continues to support and monitor course completions. Courses are offered via the E-Learning platform on an annually renewable and refresher basis. Bespoke face to face and virtual in-house training is also provided to departments as required. Data Protection Policies and related ICT policies have been reviewed and are current. The council also continues to meet standards of the NHS Data Protection and Security Toolkit (DSPT). The next assessment is due for return in June 2026. The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian's 10 data security standards.

In addition, the council initiated 142 Data Protection Impact Assessments (DPIA), a 37% increase over the past two years. This increase reflects organisational changes including redundancies and a strategic shift towards more streamlined services. These transitions prompt scrutiny of the considered data processing activities and assessment of privacy risks systematically through the DPIA process to ensure that the Council remains compliant with its obligations set out by the UK Data Protection Act 2018.

The council received 487 Subject Access Requests (SARs), with 30 SAR Reviews requested and carried out by the DPO. The substantial increase in SAR review complaints are primarily attributed to delays in dispatching responses and records or confirming that records were not held. The council continues to develop the new customer management system for processing requests and SAR guidance for Council Services.