To view any of the ICO undertakings discussed below, please click here.
Doncaster Metropolitan Borough Council – The ICO has issued an undertaking to Doncaster Metropolitan Borough Council in relation to the loss of files of 66 families. The families required the use of certain health services and the files were lost following an internal office move. Investigation of the incident by the ICO revealed that there was a low staff uptake of mandatory data protection training at the council and furthermore, this training was only required every three years.
Amongst other undertakings required of the council in respect of training, the council is obliged to – "Conduct a training need analysis for all roles within the organisation to ascertain the level of data protection awareness required for the role, and the frequency at which the individual should receive refresher training to ensure they are reminded of their obligations in order to prevent further security incidents. This analysis should also consider whether the training should be tailored for specific roles…"
Brunel University London – The ICO has issued an undertaking to Brunel University London after the ICO were called to investigate the loss of 61 TUPE transfer files and 7 personnel files which were stored in 10 boxes, all of which were lost during an office renovation.
The ICO found that even though the University had a number of policies and procedures in place to safeguard personal data, the training completion rate was very low at less than 10%. The undertakings now accepted by the University include an obligation that it "ensure that staff members routinely processing personal data shall receive training in the requirements of the Data Protection Act upon induction" and that "Regular mandatory refresher training in the requirements of the Act shall be provided to all staff members whose role involves the routine processing of personal data; uptake of this training shall be monitored to ensure all staff members receive regular refresher training annually".
Anxiety UK – The ICO has issued an undertaking to Anxiety UK after the ICO found that personal data held in the password protected area of the website for Anxiety UK was publically presented on the internet for around 12 months through an online search engine due to a coding error. The ICO criticised Anxiety UK for:
- Not having adequate controls in place with its data processors (the website developer ultimately responsible for the breach). In particular, penetration tests were not performed, which if they had would have identified the breach; and
- Breaching the 5th data protection principle for holding data longer than necessary.
British Show Jumping Association (BSJA) - The ICO have issued an undertaking to BSJA to ensure that personal data is processed in accordance with the seventh data protection principle guidance following the emailing to a distribution group in error, a file containing the names, dates of births, contact details and membership details of 14,152 members.
The file had been held longer than was necessary on the BSJA's systems and had been given the same name as the file that was usually sent to the distribution group.
The ICO undertaking required the BSJA to ensure that:
- guidance is provided to BSJA staff about checking emails and attachments for personal information before emails are sent and that such guidance is formalised in an appropriate policy or procedure;
- an appropriate policy or procedure is established for the use of shared network drives which includes advice on retention and use of appropriate file names; and
- appropriate security measures are implemented to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction and/or damage.
What action could be taken to manage risks that may arise from this development?
This month's ICO activity yet again focusses on training staff on policies and procedures in place both at induction and then regularly throughout the employment relationship. Companies should note that even where the correct policies are in place and training available, the investigation into Brunel University London, lead the ICO to determine that even this is not enough where the completion rate of staff embarked upon training is low. Companies are advised to continue to monitor staff training rate and make sure that monitoring reveals the completion rate of training too.
Also in keeping with a trend previously identified in the alert, 3 of the enforcement actions refer to data controllers keeping data longer than necessary (and therefore in breach of the 5th principle)