The Information Commissioner’s Office (ICO) has issued a warning to charity workers informing them that they must “obey strict privacy laws”. The warning follows the prosecution of a charity worker for making personal copies of sensitive data and sending them to a personal email account without the knowledge of his employer, Rochdale Connections Trust.
A total of 11 emails were sent on 22 February 2017 that included the personal information of 183 people, including 3 children. The investigation revealed that a similar database had been sent to a personal email account on 14 June 2016. The data included full names, dates of birth, contact telephone numbers and medical information.
It has not been confirmed how this incident was discovered, nor what the perpetrator intended to do with the data.
The defendant admitted “unlawfully obtaining personal data in breach of Section 55 of the Data Protection Act 1998” and was fined accordingly.
Steve Eckersley, head of enforcement at the ICO, said:
People have a right to expect that when they share their personal information with an organisation, it will be handled properly and legally. That is especially so when it is sensitive personal data.
People whose jobs give them access to this type of information need to realise that just because they can access it, that doesn’t mean they should. They need to have a valid legal reason for doing so. Copying sensitive personal information without the necessary permission isn’t a valid reason.
This warning follows a reminder and a warning to NHS employees about similar issues. Data protection needs to be taken seriously and staff must be informed of the risks they could face by satisfying their curiosity.
Educate your staff
Rolling out a comprehensive staff awareness programme will give employees a clear understanding of their compliance requirements, your organisation’s security policies and procedures, and information security best practices to reduce preventable mistakes.