ICO undertakings - March 2016
Published 3 March 2016
What does this cover?
To view any of the undertakings discussed below, please click here.
British Red Cross
On 26 February 2016 the British Red Cross signed an ICO undertaking committing the organisation to best practice when undertaking fund raising calls. The undertaking arose after the ICO investigated a Daily Mail report which alleged that charities had been ignoring the direct marketing rules in order to compete more effectively for charity donations.
The undertaking commits British Red Cross to compliance with PECR. However the ICO interestingly state in their accompanying press release that they did not find that British Red Cross had breached direct marketing rules but the ICO offered advice to the charity to assist it in maintaining good standards of fundraising call practice.
The ICO have said “…a big part of our work is working with companies who want to get it right British Red Cross is a good example of that. They’ve seen the benefits of not just following the law, but following best practice, and we’re pleased that we’ve been able to work with them on this.”
Western Health and Social Care Trust (WHSC Trust)
On 24 February 2016 the ICO reported on its follow-up assessment of WHSC Trust. The Trust had previously signed an undertaking in April 2015 which arose after the ICO were notified of two data loss incidents. One such incident involved the theft of two computers containing sensitive personal information regarding WHSC Trust's mental health services.
The ICO reported that the review "demonstrated that the Trust has taken appropriate steps and put plans in place to address some of the requirements of the undertaking, however further work needs to be completed by the Trust to fully address the agreed actions". In particular, the ICO have recommended that WHSC Trust ensure that its data protection training completion rates are increased.
Community Transport Ltd (CT)
On 3 February 2016 the ICO reported on the follow-up assessment of CT which followed an undertaking received by the company in July 2015.
The undertaking of July arose after the ICO discovered that a removable hard drive containing CT's back-up customer database had not been returned to the company. The drive had been taken home by a member of staff who did not subsequently return to the company or return the drive. The drive contained the details of around 4,138 individuals.
The ICO discovered that it was customary for company staff to take the drive home at the end of the day to be stored away from the premises. On investigation, the ICO also found that CT were storing data for longer than necessary.
Under the 2015 undertaking, CT agreed a number of actions including that it would encrypt personal data stored on portable and mobile devices; implement appropriate policies regarding the retention of personal data and provide appropriate training to staff responsible for handling personal data.
The ICO reported in its follow-up assessment that CT had "taken steps in accordance with their undertaking, and put plans in place to address some of the requirements. However further work needs to be completed to fully address the agreed actions".
What action could be taken to manage risks that may arise from this development?
The follow-up assessment of Community Transport highlights the importance of not keeping data for longer than is necessary, which is creeping more and more into ICO enforcement action and will be a key area under the GDPR.
Organisations should also note that adequacy, frequency and/or monitoring of staff training continues to be a theme for enforcement action by the ICO.
Organisations are further advised to continue to ensure that staff training in data protection for data handling employees, is available, mandatory, regularly refreshed and updated by managers.