What does this cover?
To view any of the ICO undertakings discussed below, please click here.
Falkirk Council (the Council): the Council has been requested to submit to an ICO undertaking following a breach of the 7th data protection principle that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
The incident occurred in March 2015 and arose as a result of the Council's response to a subject access request which resulted in sensitive personal details relating to a third party being relayed inadvertently to the data subject requesting access. The ICO investigation into the incident revealed that the third party details had been filed incorrectly and opportunities were missed to resolve the issue before the documentation was sent.
The undertaking requires that the Council ensures "all staff processing personal data on its behalf, whether they are permanent or otherwise, are provided with sufficient data protection training before they carry out work that involves regular contact with personal data, especially sensitive personal data".
The Universities and Colleges Admissions Service (UCAS): on 11 December 2015 the ICO reported on a follow-up investigation into UCAS which sought to determine whether the organisation had made adequate improvements and had followed the ICO recommendations of an undertaking it had received in April 2015. UCAS received the April undertaking after the ICO found that it had erroneously signed up prospective university students to receive marketing advertisements for general commercial products and services including mobile phones and energy drinks.
The ICO follow up assessment found that UCAS had "taken appropriate steps and put plans in place to address the requirements of the undertaking and to mitigate the risks highlighted".
London Borough of Hammersmith and Fulham (the Borough): on 11 December 2015 the ICO reported on a follow-up investigation into the Borough which sought to determine whether it had made adequate improvements and had followed the ICO recommendations of an undertaking it had received back in June 2015. The June undertaking followed "incidents where personal data relating to a number of individuals was sent to unintended recipients due to typing errors in the address of the correspondence. On investigation the ICO discovered that although the council had some procedures in place which should have prevented this breach, the level of data protection training received by employees was insufficient meaning data protection issues were not a “live” enough issue across the organisation".
The ICO follow-up found that the Borough had taken some important steps to address the recommendations in the undertaking including the development of "a new information security policy as part of a new information security framework" and the development of "a suite of refresher training". Further improvements recommended by the ICO included that "once the information security policy is finalised it should be embedded across the council through an awareness-raising communications campaign and staff training. The policy should be supported by codes of practice, technical controls for ICT and a user acceptance document".
Croydon Health Services NHS Trust (the Trust): on 23 December 2015 the ICO reported on an undertaking received by the Trust which followed incorrectly addressed correspondence concerning the outcome of a patient complaint being delivered to the wrong person.
The ICO's investigation concluded that "although the Trust had some organisational measures in place, the error had been made by a temporary bank staff employee who had not received all the appropriate training and guidance in relation to the role they were expected to fulfil; there was a lack of a formal checking procedure to ensure the accuracy of correspondence as to both address and content before dispatch; key recommendations from previous breach investigation reports in relation to similar incidents had not been implemented and were identified as being a major contributory factor in relation to this breach".
Recommendations contained in the undertaking included that the Trust ensure communication policies are set out in a clear written form and are brought to the attention of staff so that they can better understand the requirements.
What action could be taken to manage risks that may arise from this development?
This month's undertakings again highlight the importance the ICO places on the frequency and content of staff training.