In March 2016 the ICO reported that it had taken enforcement action against the South Eastern Health & Social Care Trust, (the Trust), following a formal investigation into the Trust’s compliance with the Data Protection Act (DPA). The investigation took place after it emerged that there had been two separate incidents at the Trust involving the disclosure of personal data in error.
One incident concerned a Doctor who left unsecured patients’ records in a private rental property they had vacated.
The other incident concerned a staff member who emailed a confidential document containing ‘extremely sensitive’ personal information to her personal email account.
The ICO investigation revealed that the Trust had “a suite of policies in place which cover the use of email, Trust equipment and remote working standards” but that there was “a lack of appropriate training”.
The ICO expressed concern that “training for staff who routinely access sensitive personal data is lacking and could be improved”. Crucially, the ICO’s investigation revealed that the take up of training within the Trust was low.
The Trust was required to give an undertaking:
- To ensure all staff (including doctors, 3rd party contractors, temporary/agency staff and volunteers) have data protection induction and regular refresher training.
- To ensure all such staff are made aware of the content and location of its policies and procedures relation to data protection.
This is an example of an organisation focusing on putting in place policies and procedures but without actually informing their staff about the existence of these and failing to train people so that they can put these policies and procedures into practice.
Note the ICO demanded that training be given not only to all permanent staff (both senior and junior), but also temporary and agency staff, volunteers and contractors. This shows that the scope of an organisation’s responsibility re training is perhaps much wider that many realise.
This article is intended for informational purposes only and should not be relied upon as legal advice.