An enforcement notice issued by the Information Commissioner's Office (ICO) to The Alzheimer's Society last week is a helpful reminder to charities and other third sector bodies that they are not immune to the requirements of data protection laws when it comes to volunteer staff.
The enforcement notice relates to a group of volunteers recruited by The Alzheimer's Society to help dementia sufferers and their families or carers find NHS funding. Amongst other activities, the volunteers were engaged to draft reports containing sensitive information about patients' medical treatment, care needs and mental health.
As a data controller, The Alzheimer's Society had a duty under the Data Protection Act (DPA) to comply with the data protection principles in relation to all personal data in its control. That includes not just the handling of personal data by employees, but also volunteers.
However, an investigation carried out following a security breach in April 2015 revealed that volunteers were storing unencrypted data on their home computers, failing to lock away paper records and had used personal email addresses to receive and share sensitive information.
Furthermore, volunteers received no training on the charity's policies and procedures or on general data protection compliance, and had little supervision from the charity's paid staff.
As a result, the ICO found that the charity had contravened the fifth and seventh data protection principles. These provide that personal data should not be kept longer than necessary and that appropriate technical and organisational measures should be taken against unauthorised processing or loss of personal data.
The enforcement notice requires The Alzheimer's Society to take certain steps to address the shortcomings identified by the ICO's investigation. A breach of an enforcement notice is an offence under the DPA.
5 tips to help ensure data protection compliance
- The ICO treats volunteers in the same way as employees. Charities and other third sector bodies who rely on volunteers should ensure that they have appropriate data protection policies and procedures and that their volunteers understand how to handle personal data in compliance with the DPA.
- Volunteers who need to handle personal data should be provided with secure email accounts to ensure that they do not use personal email accounts to process or store sensitive data.
- Appropriate information security measures should be used to protect data. Beware of volunteers using unencrypted personal laptops, tablets, or other mobile devices (such as USB sticks).
- If it is necessary for volunteers to handle hard copy files, ensure that secure storage is available and used. Consider whether storing data electronically may be more secure.
- Personal data should not be kept for longer than necessary. You should ensure that you have in place an appropriate records retention policy and that all data is managed in accordance with that policy.
The Data Protection Act will be replaced in 2018 by a new EU wide General Data Protection Regulation (GDPR). The GDPR will require all organisations to review how they handle personal data and update their policies and procedures. The GDPR will also give regulators new enforcement powers. You can find out more by following @BrodiesTechBlog.