From the Information Commissioner’s Office:
Anglesey County Council has been ordered to improve its data protection practices after it repeatedly failed to address security and privacy issues.
Two separate security incidents as far back as 2011 led to the council signing undertakings to make changes and improve practices. But despite committing to the improvements, audit visits in July 2013 and October 2014 still found problems with the security of personal data.
Even a preliminary enforcement notice didn’t get the council into full compliance, it seems:
The Commissioner has considered the Council’s representations in response to a Preliminary Enforcement Notice (‘Notice’) issued on 5 August 2015. The Council maintains that it has now put measures in place to comply with the terms set out in paragraph 10 of the Notice. However, having reviewed the documents in support of the Council’s representations and in light of the Council’s previous record, the ICO only has limited confidence in the Council’s commitment to implement the required steps on an ongoing basis.
You can read the enforcement notice here (pdf).
Previous coverage of Anglesey Council breaches on this site can be found here, here, and here.