Nearly all organisations hold and process some personal data (i.e. information relating to an identifiable living individual), at the very least about their own staff, clients and suppliers.
As ‘data controllers’ under the Data Protection Act 1998 (DPA), such organisations are legally obliged to comply with the eight data processing principles set out in the DPA in respect of their ‘processing’ of personal data.
Amongst other things, this includes an obligation to take appropriate technical and organisational measures to keep such personal data secure (Principle 7). Depending on the size and nature of the organisation, such measures will normally include having a formal information security policy and other relevant written procedures for staff to follow, organising staff training, checking whether security measures are actually being adhered to and investigating security incidents.
Despite this, all too often we hear of the Information Commissioner’s Office (ICO) taking action against organisations as a result of their failure to implement adequate (or any) data protection training for their staff.
For example, in May 2014, the ICO issued an enforcement notice requiring Wolverhampton City Council to provide adequate data protection training for its staff within 50 days. The ICO decided to take enforcement action against the Council following an incident when confidential and highly sensitive data was disclosed in error by a social worker to a family member who had no right to see that information. The social worker concerned had received no data protection training. The enforcement notice followed a series of warnings, made over the preceding two years, from the ICO to the Council about the lack of adequate data protection training given to its staff, in respect of which the ICO said that the Council had displayed a ‘startling’ lack of urgency.
Sadly, it is also all-too-common for organisations to be prompted to reflect on how they handle and process personal data only after a data breach has already occurred and the ICO has taken enforcement action. Data controllers should take proactive steps to ensure that their employees are aware of, and are complying with, their obligations under the DPA (including implementing appropriate and up-to-date data protection training). This will minimise the risk of an employee committing a data breach and, therefore, help to avoid the inconvenience and cost of having to deal with a compliant from a data subject and/or enforcement action by the ICO, along with the reputational damage that this can lead to.