The ICO has ordered The Alzheimer’s Society to take action after discovering that volunteers were using personal email addresses to receive and share information about people who use the charity, storing unencrypted data on their home computers and failing to keep paper records locked away. Furthermore, volunteers were not trained in data protection, the charity’s policies and procedures were not explained to them and they had little supervision from staff.
The ICO concluded that the charity had breached two of the eight data protection principles and ordered that it should take steps to ensure that:
- Personal data is not kept for longer than is necessary
- There is a mandatory data protection training programme for all staff (including volunteers who have access to personal data) and refresher training at least every two years. Delivery of the training should be tailored to reflect the needs of both staff and volunteers
- Completion of any such training is monitored and properly documented
- Policies and procedures relating to data protection and information governance are brought to the attention of all staff (including volunteers who have access to personal data)
- Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are all encrypted using encryption software which meets the current standard or equivalent
- Secure email accounts are provided to all staff (including volunteers who process personal data by email in connection with their work for the data controller)
- Secure storage is provided for all staff (including volunteers who hold hard copy records containing personal data in connection with their work for the data controller)
- Manual (as well as automated) checks are made to identify vulnerabilities on the data controller’s website e.g. penetration testing;
- Appropriate organisational and technical measures are taken against the unauthorised access by staff (including volunteers) to personal data
- Paragraphs 11 and 12 of Part II of Schedule 1 to the DPA are complied with where processing of personal data is carried out by a data processor on behalf of the data controller.
The Alzheimer’s Society is a very worthy organisation that helps anyone affected by dementia. But this case shows that it failed, over a lengthy period and in many respects, to appreciate how it needed to take care of their personal information. It’s a great pity that its excellent reputation has been damaged in this way