The Data Protection Act is growing in influence in the work place. We are frequently seeing Subject Access Requests being made by employees who are in dispute (or about to be) with their employer and it is becoming part of the fabric of employment litigation (which is why this is covered in our next seminar – details below). Whilst it is important to understand the operation and scope of Subject Access Requests, the embarrassment and inconvenience they can cause perhaps pale into insignificance when compared to a data breach.
The Information Commissioner’s Office has recently fined a nursing home £15,000 for failing to keep the personal information they hold secure.
The breach took place when a member of staff took home an unencrypted work laptop, which was stolen during a burglary. The laptop contained sensitive personal information relating to 46 staff, including reasons for sickness absence and information about disciplinary matters. It also contained sensitive personal information about 29 residents, including their dates of birth, mental and physical health and ‘do not resuscitate’ status.
An investigation by the Information Commissioner’s Office found that the nursing home had failed to implement any policies regarding the use of encryption, home working, the storage of mobile devices or provide enough data security training.
The Information Commissioner’s Office decided that £15,000 was an appropriate remedy for the size of the business, although a larger organisation, it said, could expect to receive a much larger fine in such circumstances. The Information Commissioner’s Office has the power to impose a monetary penalty of up to £500,000.
There are significant data protection implications arising from the Data Protection Act. An employer must take appropriate technical and organisational measures against unauthorised or unlawful processing of and against accidental loss or destruction of, or damage to, personal data. With homeworking and employees using their own devices for work both on the increase, employers would be wise to implement homeworking policies, contractual obligations and consider specific training to deal with data security and confidentiality issues (along with other important areas such as equipment and health and safety).
It is clear that such measures will not only reduce the risk of breaching the Data Protection Act in the first place but will also be taken into account by the Information Commissioner’s Office when it considers the appropriate fines for any breaches.