What does this cover?
To view any of the ICO Undertakings discussed below, please click here.
General Dental Council ('GDC') - The ICO has required GDC to enter into an undertaking, following the incorrect disclosure of a CD containing background information to a GDC registrant, in breach of the 7th data protection principle (security). The CD related to fitness to practice allegations made against a registrant with a similar name.
The ICO investigation found an "absence of a corporate data protection refresher training programme in place for employees who processed personal data". This finding was not overcome by the fact that the GDC was found to have sufficient written policies in place.
A second incident investigated by the ICO concerned the loss of patient dental records. It was concluded that these records were most likely inadvertently destroyed in error; however, the ICO noted "similar training concerns were recognised as one employee involved in this incident had not received the induction data protection training".
GDC have committed to (1) ensuring that all its current employees who process personal data have received data protection training; (2) setting up a mandatory refresher programme; (3) ensuring that completion of data protection training sessions is fully monitored; and (4) that completion statistics are reported and implement such other security measures as are appropriate.
Flybe Limited – The ICO has issued an undertaking to Flybe following a temporary Flybe employee photocopying an individual's passport and emailed the image to himself at his personal email account. The ICO's investigation into the incident revealed that Flybe staff had not all received data protection training and it was determined that "Flybe’s Data Protection Policy was inadequate and provided only limited advice on how the organisation collects; stores; and secures personal data". Flybe's undertaking includes the following commitments:
- The policy covering the storage and use of personal data is revised in light of this incident to outline the different categories of information processed by Flybe, and to include detail on how such data will be protected; and
- Permanent and temporary staff responsible for the handling of personal data are given appropriate, specific training upon induction (and prior to accessing such data) and this training is refreshed annually. The provision of such training is monitored and recorded.
Martin & Company – An undertaking has been signed by Martin & Company (a solicitors' firm based in Ayr) to comply with the 7th data protection principle following the report by the firm of the loss of a DVD containing evidence. The firm had been instructed to provide the defence for a defendant in a criminal trial. A DVD was to be provided to the firm by the Crown Office & Procurator FiscalService, it showed the Defendant entering the premises and was to be used as evidence in the trial. Martin & Company asked a colleague from a separate law firm to collect the DVD but prior to that DVD being handed to Martin & Company, the unencrypted DVD was lost.
Even though it was not Martin & Company who lost the DVD, Martin & Company were found in the investigation by the ICO to be harboring a number of shortcomings including that "guidance to staff regarding data protection compliance was lacking, as was training. It was also determined that there was a lack of a formal procedure for staff to follow when arranging to collect personal data outside of the office environment".
Martin & Company were asked to undertake the following commitments in particular:
- Appropriate procedures for the collection of paper and electronic media containing personal and sensitive personal data from third parties are implemented within three months;
- Safeguards are put in place within three months to ensure that where appropriate, portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent;
- A Data Protection Policy is implemented within three months setting out how Martin & Company will comply with their obligations under the Data Protection Act 1998.
What action could be taken to manage risks that may arise from this development?
Companies should note that adequacy, frequency and monitoring of staff training continues to be a theme for enforcement action by the ICO. Companies are advised to continue to ensure that staff training, as it relates to information governance, is available, mandatory, regularly refreshed and updated by managers and that compliance with the training regime is monitored and policies in place to regulate the above.