Published 1 February 2016
What does this cover?
To view any of the undertakings discussed below, please click here.
South West Yorkshire Partnership NHS Trust (SWYP NHS Trust) – on 4 January 2016, the ICO reported on the follow-up assessment of SWYP NHS Trust which resulted from an undertaking delivered to the Trust in May 2015. The May undertaking arose after the ICO discovered that a number of letters had been delivered to the wrong recipients by the Trust and that the contents of these letters held personal data.
The follow-up assessment found that the Trust had made some positive improvements which went towards addressing the ICO's recommendations, including a 'Think Information Governance’ campaign with the intention of raising awareness of IG practices amongst staff'. However, the ICO found that SWYP NHS Trust needed to take further appropriate action in certain other areas, including staff awareness of information governance policy changes.
Rochdale Borough Council (RBC) – on 14 January 2016, the ICO carried out a follow-up assessment at RBC further to an undertaking entered into by the council on 6 July 2015.
The July undertaking arose after a council employee found that social care papers concerning 86 individuals had been stolen from her car. A member of the public later found the papers in a grassy area close to a housing estate. The papers concerned sensitive information including mental health details and information pertaining to the commission of certain offences. The ICO found that there was no formal data protection training for new staff at RBC. The ICO's undertaking required that, amongst other things, such training be duly implemented.
The ICO's follow-up assessment noted that RBC had taken appropriate steps and put in place plans to address much of the recommendations in the undertaking but needed to calculate appropriate deadlines for completion of the training for new starters based upon their role.
King’s College London (KCL) – in July 2015, the ICO issued an undertaking to KCL after it found that a spreadsheet containing the personal details of 1831 current students and applicants had been sent to 22 students in error. On 26 January 2016 the ICO reported on a follow-up assessment undertaken at KCL. The follow-up confirmed that steps had been taken to implement mandatory data protection training which would be refreshed every 2 years. The ICO have recommended that KCL seek to increase staff uptake of the training provided but acknowledge that KCL has also issued its staff with guidance on how to comply with the DPA.
Betsi Cadwaladr University Health (BCUH) – on 25 January 2016, the ICO reported on a follow-up assessment to an undertaking delivered to BCUH in 2014. The 2014 undertaking arose from an ICO finding that 8 patient letters, some of which contained sensitive personal data, had been delivered to incorrect recipients.
The ICO follow-up reported that 98% of staff with personal data management roles had now undertaken training. The remaining 2% were on long-term sick leave. There was also a new requirement for all staff to attend information governance training which is monitored by an electronic system. The ICO have advised that two-yearly training refresher courses now be put in place at BCHU.
London Borough of Hammersmith and Fulham (LBHF) – on 25 January 2016 the ICO reported on the follow-up assessment of LBHF. LBHF had signed an undertaking in June 2015 after the ICO found that the borough had incorrectly addressed and sent out letters to council residents. One letter, relating to a complaint against LBHF, was delivered to the intended recipient's neighbour. Another separate correspondence related to a parking offence and was delivered to an unrelated individual.
The follow up reported an induction training completion rate of 91% and found that a new information security policy was in place. It also found that LBHF were looking into the development of data protection training. The ICO have recommended that, as well as building on LBHF's current progress, "Once the information security policy is finalised it should be embedded across the council through an awareness-raising communications campaign and staff training. The policy should be supported by codes of practice, technical controls for ICT and a user acceptance document."
South West Yorkshire Partnership NHS Trust (SWP) – on 25 January 2016 the ICO reported on the follow-up assessment of SWP which followed an undertaking in May 2015. The May undertaking arose after the ICO found that SWP had sent the sensitive personal data of patients to unintended recipients through incorrectly addressed correspondence. The ICO assessment reported that the Trust had developed a 'Safe Haven' policy which included a validation procedure for outgoing correspondence. The ICO recommended that SWP ensure "ensure the updated Safe Haven Policy is ratified and made available to staff and raise awareness regarding key amendments to the policy such as the outgoing correspondence validation procedure
Universities and Colleges Admissions Service (UCAS) and UCAS Media Limited (UML) – on 25 January 2015 the ICO reported on the follow-up assessment of UCAS and UML. The assessment followed an undertaking in April 2015 which arose after the ICO found that UCAS had erroneously signed up prospective university students to receive marketing advertisements for general commercial products and services including mobile phones and energy drinks. Follow up assessments were also undertaken by the ICO in 14 July and 30 November 2015. The January report notes that UCAS has updated its admissions commercial mailings to "opt-ins" and has put in place a new 'Applicant Declarations' process.
What action could be taken to manage risks that may arise from this development?
The undertakings are a reminder for organisations to have in place appropriate policies and procedures when handling personal data. Organisations should ensure that all staff are regularly given data protection training and are aware of the location of information governance policies. Staff who undertake data handling as part of their role may require more frequent and detailed training as well as an in depth understanding of organisations' responsibilities when it comes to personal data.