What does this cover?

To view the Undertaking discussed below, please click here.

Sirona Care & Health ("Sirona") – Sirona has entered into an undertaking compelling the organisation to comply with the seventh data protection principle (security).

An email containing sensitive personal data had been sent to a previous service user in error. The email contained sensitive details about three service users including names, dates of birth, NHS numbers, addresses and medical details. The employee had intended to send the email to her colleagues however the personal email address of a former service user was selected in error. Sirona only became aware of this incident when it was contacted by the unintended recipient who then deleted the email".  The ICO found that although Sirona did have some data protection policies and procedures in place, they did not provide guidance on checking email addresses or a requirement for staff to delete email addresses no longer in use.  The employee in question had not received information or governance training in two years.

The ICO undertaking compels Sirona to ensure that mandatory annual data protection refresher training is in place for all staff who routinely process personal data; the completion rate is monitored and appropriate advice is provided to staff on email checking.

What action could be taken to manage risks that may arise from this development?

Financial service companies should continue to inform and train staff of company security protocols and should continue to update and review their security control systems and data protection policies for suitability.

In particular, financial service companies should consider the training of employees who regularly email sensitive personal data, to expunge old/out of date contacts from their email system to reduce the risk of error.