2016 may turn out to be a year of real change in data protection in Europe. We have written extensively in 2015 about the coming of age of data protection with cases like Schrems, Weltimmo and Vidal-Hall. Its also likely that the new EU Data Protection Regulation will reach final agreement soon too. With all of these revolutionary developments it is often easy, to overlook how data protection law has also evolved.
What happened with The Alzheimer’s Society?
An example of just this evolution is the UK Information Commissioner’s action against the Alzheimer’s Society on 5 January 2016. The Alzheimer’s Society had given an undertaking to the ICO in February 2010 after a security breach, when a number of unencrypted computers were stolen during a burglary. The charity was subject to an audit in 2013 and then again in 2014. The 2014 follow-up audit found out that a recommendation from the 2013 audit report had not been fully implemented, as a result, and following a second security breach in 2015 the ICO has now issued an enforcement notice.
The charity was set up in 1979, and has around 230 branches throughout the country. It had an income in 2013/14 of over £80m.
What was the case about?
According to the ICO, the charity recruited a group of volunteers in 2007 to help dementia suffers and their families or carers seek NHS funding. Between them, these volunteers handled just under 2,000 cases. As part of their role they drafted reports including sensitive personal data about the medical treatment, care needs and mental health of those they were trying to help. Despite the sensitive nature of the data involved, the volunteers used their own personal e-mail addresses, stored data on their home computers unencrypted and did not manage paper files adequately. Even more concerning perhaps the volunteers were not trained in data protection and the charity’s policies and procedures were not explained to them. They worked with little supervision.
In addition to the issues around volunteer case workers, the charity’s website was hacked in 2015, putting at risk around 300,000 e-mail addresses and other non-sensitive personal data.
What did the ICO do?
The ICO issued an enforcement notice. The ICO has the power to serve an enforcement where there has been a breach, requiring an organisation to take (or refrain from taking) specified steps in order to ensure they comply with the law.
In this case the enforcement notice requires a number of changes to the way in which the charity deals with sensitive data. It includes:
- Mandatory data protection training for all staff (including volunteers) and refresher training at least every 2 years. The training has to be tailored to reflect the needs of both staff and volunteers.
- Proper policies and procedures relating to data protection, which are brought to the attention of all staff, including volunteers.
- Encryption on all mobile devices which are used to process or access personal data.
- Secure e-mail accounts for all staff, including volunteers.
- Secure storage for all staff (again including volunteers) for hard copy personal records.
- Additional checks on the website including penetration testing.
The charity has the right to appeal. It is unclear, at this stage whether it intends to do so.
The case serves as a reminder to all businesses that they can’t wait until the new Regulation becomes law before examining what they do. Whilst data protection law is in the process of being renewed we’re not starting from scratch. Laws already exist protecting personal data and they are being enforced. Any organisation handling personal data – whether a charity or not – would be wise to take a look at the 6 point list above to see if they have those measures in place. If not 2016 might be the year to do something about it.
Jonathan Armstrong is a lawyer with Cordery in London where his focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784