A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 1 January 2016
To view any of the ICO undertakings discussed below, please click here.
The Council has been requested to submit to an ICO undertaking following a breach of the 7th data protection principle that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
The incident occurred in March 2015 and arose as a result of the Council's response to a subject access request, which resulted in sensitive personal details relating to a third party being relayed inadvertently to the data subject requesting access. The ICO investigation into the incident revealed that the third party details had been filed incorrectly, and opportunities were missed to resolve the issue before the documentation was sent.
The undertaking requires that the Council ensures "all staff processing personal data on its behalf, whether they are permanent or otherwise, are provided with sufficient data protection training before they carry out work that involves regular contact with personal data, especially sensitive personal data."
On 11 December 2015 the ICO reported on a follow-up investigation into UCAS which sought to determine whether the organisation had made adequate improvements, and had followed the ICO recommendations of an undertaking it had received in April 2015. UCAS received the April undertaking after the ICO found it had erroneously signed up prospective university students to receive marketing advertisements for general commercial products and services including mobile phones and energy drinks.
The ICO follow up assessment found that UCAS had "taken appropriate steps and put plans in place to address the requirements of the undertaking and to mitigate the risks highlighted."
On 11 December 2015 the ICO reported on a follow-up investigation into the Borough, which sought to determine whether it had made adequate improvements and had followed the ICO recommendations of an undertaking it had received back in June 2015. The June undertaking followed "incidents where personal data relating to a number of individuals was sent to unintended recipients due to typing errors in the address of the correspondence. On investigation the ICO discovered that although the council had some procedures in place which should have prevented this breach, the level of data protection training received by employees was insufficient meaning data protection issues were not a 'live' enough issue across the organisation."
The ICO follow-up found that the Borough had taken some important steps to address the recommendations in the undertaking, including the development of "a new information security policy as part of a new information security framework" and the development of "a suite of refresher training". Further improvements recommended by the ICO included that "once the information security policy is finalised it should be embedded across the council through an awareness-raising communications campaign and staff training. The policy should be supported by codes of practice, technical controls for ICT and a user acceptance document."
On 23 December 2015 the ICO reported on an undertaking received by the Trust, which followed incorrectly addressed correspondence concerning the outcome of a patient complaint being delivered to the wrong person.
The ICO's investigation concluded that "although the Trust had some organisational measures in place, the error had been made by a temporary bank staff employee who had not received all the appropriate training, and guidance in relation to the role they were expected to fulfil; there was a lack of a formal checking procedure to ensure the accuracy of correspondence as to both address and content before dispatch; key recommendations from previous breach investigation reports in relation to similar incidents had not been implemented and were identified as being a major contributory factor in relation to this breach."
Recommendations contained in the undertaking included that the Trust ensure communication policies are set out in a clear written form, and are brought to the attention of staff so that they can better understand the requirements.
This month's undertakings again highlight the importance the ICO places on the frequency and content of staff training.
London - Walbrook
+44 (0)20 7894 6577
Shehana Cameron Perera, Lorraine Ekong, Jade Kowalski, Rhiannon Webster, Ceri Fuller, Khurram Shamsee, Christopher Air, Sophie Devlin
Shehana Cameron Perera, Michael McMillen, Lorraine Ekong
Jade Kowalski, Shehana Cameron Perera, Zoe Lockton, Rhiannon Webster
Aleksandar Dimitrov, Neal Pal
Rhiannon Webster, Charlie Christie
Michael McMillen, Rhiannon Webster, Ben Savery
Ceri Fuller, Khurram Shamsee, Christopher Air, Jade Kowalski, Sophie Devlin
Hans Allnutt, Patrick Hill, Laura Stewart, Lorraine Ekong
Lorraine Ekong, Hans Allnutt
Hans Allnutt, Camilla Elliot
Hans Allnutt, Patrick Hill
Hans Allnutt, Rhiannon Webster, Patrick Hill
Hans Allnutt, Rhiannon Webster