Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 1 February 2016
To view any of the undertakings discussed below, please click here.
South West Yorkshire Partnership NHS Trust (SWYP NHS Trust) – on 4 January 2016, the ICO reported on the follow-up assessment of SWYP NHS Trust which resulted from an undertaking delivered to the Trust in May 2015. The May undertaking arose after the ICO discovered that a number of letters had been delivered to the wrong recipients by the Trust and that the contents of these letters held personal data.
The follow-up assessment found that the Trust had made some positive improvements which went towards addressing the ICO's recommendations, including a 'Think Information Governance’ campaign with the intention of raising awareness of IG practices amongst staff'. However, the ICO found that SWYP NHS Trust needed to take further appropriate action in certain other areas, including staff awareness of information governance policy changes.
Rochdale Borough Council (RBC) – on 14 January 2016, the ICO carried out a follow-up assessment at RBC further to an undertaking entered into by the council on 6 July 2015.
The July undertaking arose after a council employee found that social care papers concerning 86 individuals had been stolen from her car. A member of the public later found the papers in a grassy area close to a housing estate. The papers concerned sensitive information including mental health details and information pertaining to the commission of certain offences. The ICO found that there was no formal data protection training for new staff at RBC. The ICO's undertaking required that, amongst other things, such training be duly implemented.
The ICO's follow-up assessment noted that RBC had taken appropriate steps and put in place plans to address much of the recommendations in the undertaking but needed to calculate appropriate deadlines for completion of the training for new starters based upon their role.
King’s College London (KCL) – in July 2015, the ICO issued an undertaking to KCL after it found that a spreadsheet containing the personal details of 1831 current students and applicants had been sent to 22 students in error. On 26 January 2016 the ICO reported on a follow-up assessment undertaken at KCL. The follow-up confirmed that steps had been taken to implement mandatory data protection training which would be refreshed every 2 years. The ICO have recommended that KCL seek to increase staff uptake of the training provided but acknowledge that KCL has also issued its staff with guidance on how to comply with the DPA.
Betsi Cadwaladr University Health (BCUH) – on 25 January 2016, the ICO reported on a follow-up assessment to an undertaking delivered to BCUH in 2014. The 2014 undertaking arose from an ICO finding that 8 patient letters, some of which contained sensitive personal data, had been delivered to incorrect recipients.
The ICO follow-up reported that 98% of staff with personal data management roles had now undertaken training. The remaining 2% were on long-term sick leave. There was also a new requirement for all staff to attend information governance training which is monitored by an electronic system. The ICO have advised that two-yearly training refresher courses now be put in place at BCHU.
London Borough of Hammersmith and Fulham (LBHF) – on 25 January 2016 the ICO reported on the follow-up assessment of LBHF. LBHF had signed an undertaking in June 2015 after the ICO found that the borough had incorrectly addressed and sent out letters to council residents. One letter, relating to a complaint against LBHF, was delivered to the intended recipient's neighbour. Another separate correspondence related to a parking offence and was delivered to an unrelated individual.
The follow up reported an induction training completion rate of 91% and found that a new information security policy was in place. It also found that LBHF were looking into the development of data protection training. The ICO have recommended that, as well as building on LBHF's current progress, "Once the information security policy is finalised it should be embedded across the council through an awareness-raising communications campaign and staff training. The policy should be supported by codes of practice, technical controls for ICT and a user acceptance document."
South West Yorkshire Partnership NHS Trust (SWP) – on 25 January 2016 the ICO reported on the follow-up assessment of SWP which followed an undertaking in May 2015. The May undertaking arose after the ICO found that SWP had sent the sensitive personal data of patients to unintended recipients through incorrectly addressed correspondence. The ICO assessment reported that the Trust had developed a 'Safe Haven' policy which included a validation procedure for outgoing correspondence. The ICO recommended that SWP ensure "ensure the updated Safe Haven Policy is ratified and made available to staff and raise awareness regarding key amendments to the policy such as the outgoing correspondence validation procedure
Universities and Colleges Admissions Service (UCAS) and UCAS Media Limited (UML) – on 25 January 2015 the ICO reported on the follow-up assessment of UCAS and UML. The assessment followed an undertaking in April 2015 which arose after the ICO found that UCAS had erroneously signed up prospective university students to receive marketing advertisements for general commercial products and services including mobile phones and energy drinks. Follow up assessments were also undertaken by the ICO in 14 July and 30 November 2015. The January report notes that UCAS has updated its admissions commercial mailings to "opt-ins" and has put in place a new 'Applicant Declarations' process.
The undertakings are a reminder for organisations to have in place appropriate policies and procedures when handling personal data. Organisations should ensure that all staff are regularly given data protection training and are aware of the location of information governance policies. Staff who undertake data handling as part of their role may require more frequent and detailed training as well as an in depth understanding of organisations' responsibilities when it comes to personal data.