Charities frequently handle sensitive information but the ICO fears charities may face difficulties when it comes to handling this information in a way which complies with the Data Protection Act 1988.
According to an article published in the Evening Standard recently, the Information Commissioner (“ICO”) has issued 15 fines worth £1.8 million over the last 12 months. One of the larger of those fines was imposed on Torbay Care Trust after sensitive personal information relating to nearly 1,400 of its staff was published on the Devon authority's website. It is unlikely that the hike in the number of fines is because organisations are becoming more reckless with personal data, but rather because the regulator is taking a more proactive approach towards breaches of the Act. For third sector organisations, making sure you keep to the right side of the rules can be a concern.
So, last week, it was refreshing to see the ICO issue a helpful reminder to charities to have a ‘check up’ on their data protection practices. Charities frequently handle sensitive information but, because of the funding pressures prevalent in the third sector, the ICO fears charities may face difficulties when it comes to handling this information in a way which complies with the Act.
As well as urging charities to take action to improve data security, the ICO’spress release sets out five top tips for compliance with the Act, which are:-
- tell people what you are doing with their data;
- make sure your staff are adequately trained;
- use strong passwords;
- encrypt all portable devices; and
- only keep people’s information for as long as necessary.
The ICO’s press release serves as a useful reminder for charities of their data protection duties. As the ICO points out, it is important for charity trustees to remember that they are the ones who have a duty to ensure their charity complies with all legislation - including the Act. With the top penalty for a breach of the Act being a massive £500,000 it is clear that data protection should be a priority for all charities.
To help ensure compliance, there are many guides and other free resources available on the ICO’s website which should help charities to assess their data protection procedures. In addition, Morton Fraser has prepared a guide to the Act which is available here.
From our experience of advising organisations in handling data protection matters, we would suggest charities may also want to think about:-
- ensuring that all of the trustees are aware of their responsibilities and duties in respect of compliance with the Act;
- nominating a senior post within the charity to have responsibility for data protection issues;
- considering contracts (and practices) with external bodies to ensure data protection responsibilities are clear;
- having in place a set of policies to deal with data protection issues (and make sure people are aware of these policies); and
- undertaking regular internal audits of data protection practices and policies.
The ICO is also keen to emphasise the support that they can offer to charities which are concerned about keeping the information they handle protected. Of particular interest is the free one day advisory visits being offered to small and medium sized organisations. To apply for an advisory visit, all a charity needs to do is email the ICO who will then consider if the charity is eligible. The purpose of this visit is for the ICO to do a check up of the organisation’s existing data protection practices. They will then prepare a report setting out their findings and giving the organisation advice on how to improve. In this way, the ICO hopes to help charities head off a breach of the Act before it happens. Charities should note that the ICO does publish the fact they have conducted an advisory visit but will only publish a summary of their report if the organisation gives them permission to do so. The various summary reports can be found here. From these, one can see that small charities (such as more recently a small nursery in Stoke on Trent, and a pregnancy crisis centre) are engaging in these visits, and the impression which the summary reports give is that the ICO’s approaches is informative and proactive.