In recent weeks, we have reported on several high-profile cases where staff members have been involved in the illegal disclosure of personal data. Clearly, some of these were intentional and malicious but, in some cases, the staff member might have thought twice if they had understood the implications of their actions. And, of course, that is where effective staff training comes in.
There are very few organisations which do not collect, store or process personal data in some form, whether it’s exchanging business cards at an event or processing the payroll. It is vital that your staff understand what happens next with that data and think of the Why, How and Who:
– why the data is being collected;
– how it should be stored; and
– who can have access to it.
Perhaps the most challenging task, in terms of staff training, is that final point. Staff are often very trusting of each other and sometimes will not take data security seriously enough.
“I don’t bother to log off my computer when I’m away from my desk because I’ve worked with my colleagues for years. And why would I lock my filing cabinet?”
Whilst we don’t want to promote an atmosphere of distrust, we do need to encourage staff to think about what could happen if the office was inadvertently left completely unattended. If it was their own personal data at risk, how would they want it to be secured?
The ICO has issued some handy guidance for organisations to check their staff training is on the right track.
Although this was issued before the GDPR Regulations, the essential points are still very relevant for any organisation wanting to ‘sense-check’ their staff’s understanding.
It is worth noting that the ICO can take action where it finds staff training to be lacking. For example, West Cheshire and Chester Council signed an ‘Undertaking’ (effectively, a notice to improve that the ICO will monitor) where it was found that staff training was incomplete. The Undertaking explains their findings:
“Whilst overall organisational attendance at mandatory training had been at acceptable levels … in 2014, concerns about the effective monitoring of take up had been noted on the follow up in June 2015. These concerns have continued. Temporary and agency workers had also been excluded from data protection training due to the presence of a conflicting policy which stated that temporary employees are treated differently for training purposes…”.
West Cheshire and Chester Council had agreed to an audit by the ICO in 2014 after concerns were raised to the ICO about their data security. Had the Council not been so ready to cooperate, the ICO would have been within their rights to issue a fine for any data breaches found, instead of this Undertaking.