The last couple of months has seen some interesting decisions made by the Information Commissioner’s Office providing some valuable lessons for charities and social enterprises.
Social care charity fined for loss of data
In October, the ICO issued its first fine for loss of data to a charity, and it wasn’t a small one. Norwood Ravenswood Ltd, a social care charity, was fined £70,000 by the ICO for breach of the Data Protection Act 1998 (DPA).
A social worker left highly sensitive reports about four children outside a London home in a failed attempt to deliver the information to the children’s potential adoptive parents. Those records, according to the ICO, may now be in the possession of anyone.
The ICO found that the social worker had received no data protection training or guidance on how to provide sensitive information to potential adopters, and felt that the seriousness of the offence was such that there was little choice but to issue a monetary penalty.
Clearly, this is a warning to all charities and social enterprises to make sure that they have policies and procedures in place to keep the data which they hold secure, and appropriate training for staff handling that data.
Organisation fined for failure to keep records in order
Another decision of the ICO will set some charities and social enterprises straight about their responsibility to keep their records in order. Although monetary penalties from the ICO in relation to breaches of the DPA have become associated with organisations losing significant amounts of personal data, this month the ICO announced that it had served its first monetary penalty that did not relate to a data loss.
Prudential was served with a monetary penalty of £50,000 for mistakenly merging records of two customers who shared the same first name, surname and date of birth. In addition, Prudential failed to rectify its mistake despite being contacted on several occasions.
This decision should serve as a reminder that businesses should ensure that any personal data held, be it of employees or customers, is accurate and up-to-date (in order to comply with Principle 4 of the DPA) and that they ensure appropriate follow-up action is taken upon receipt of notifications by customers which state that details held about them are incorrect.
Information for charities and social enterprises on DPA responsibilities
Charities and social enterprises wanting more information generally about their obligations under the DPA may find the information provided by the ICO here in its sector guide for charities useful. This includes information about how to access the “Th!nk Privacy” training toolkit free of charge.
Finally, it is worth mentioning that a frequent question from charities and social enterprises is whether their organisation is obliged to notify as a data controller to the ICO. The answer to this is, unfortunately, not entirely straightforward.
There is an exemption from notification for “not for profit” organisations, but exemption is quite narrow and conditions apply. Failure to notify is a criminal offence, so it’s best to check the requirements for the exemption. More information on whether the exemption may apply to your charity or social enterprise can be found in the guidance provided by the ICO here.