ICO Reprimands organisations for serious data protection breaches and recommends staff training

The UK’s regulator of data protection, the Information Commissioner’s Office (ICO) has this week urged organisations to train their staff and put appropriate systems in place to avoid data breaches. The warning comes after it has emerged that the ICO has reprimanded seven organisations in the last 14 months for data breaches affecting the victims of domestic abuse.

According to the ICO, four cases involved the release of a safe address of the victims of their alleged abuser, in one case, the family had to be relocated to emergency accommodation, the identity of women seeking information about their partners was revealed to those partners, the home address of two adopted children was released to the birth father who was in prison and a children at risk assessment was sent to the mother’s former partner.

This is a reminder for organisations, especially those processing sensitive personal data, to ensure the data is safe and secure. The ICO has recommend that organisations should have processes in place to support those who need it, which includes ensuring staff know to handle the data with extra care and are able to accommodate requests for privacy i.e. not sharing the personal data.

The ICO has also recommended that organisations should regularly check contact information. It is a requirement of data protection law (UK GDPR and Data Protection Act 2018) to ensure that data is accurate. Organisations should be processing accurate data which, for example, could prevent the disclosure of information to an old address.

It has been recommended by the ICO that organisations should make it clear to employees which records they are allowed to access. The ICO has also stated that organisations should consider technical measures such as password protection. Again, it is a requirement of data protection law to ensure that appropriate organisation and technical measures are in place to protect personal data.

“Double check” – the ICO has advised that organisations should “double check” before personal information is transferred, altered or disclosed such as ensuring an address has been redacted, check an email address is correct and checking that the recipients are authorised to receive the information.

As lawyers advising on data protection law, many of the data breaches that cross our desk are usually because of human error where a double check hasn’t taken place, for example, an email has been sent to the incorrect email address, an incorrect document has been attached to an email containing personal data or some information hasn’t been redacted.

Training is so important for those handling personal data and it may not be sensible to take a ‘one size fits all’ approach. The ICO has recommended that role-specific training should take place depended upon the tasks being completed so that employees feel comfortable handling personal data.

For individuals who have had their data breached, this is understandably a very worrying time. Individuals may be entitled to bring a legal claim for upset and distress caused by the breach of their personal data.

JMW advises both organisations and individuals about data protection law.