Nowhere to Hide
In the last few weeks the Information Commissioners Office (ICO) has broadened its focus and sent a wake-up call to all organisations and businesses which handle personal data.
The ICO were alerted by a Regulator that a small health company was storing personal data without adequate security. The data subjects themselves were unaware of this and no data was lost or destroyed or seen by a third party.
What did the ICO do?
As part of their investigation, the ICO requested the company’s:
- Privacy notice,
- Data retention policy,
- Destruction policy,
- A description of the technical and organisational measures which the company had in place to ensure security of personal data.
At the conclusion of the investigation, the ICO issued a penalty notice which imposed an administrative fine of £275,000 to be paid in one month.
What were the ICO’s findings?
- Whilst there were some policies in place, implementation of the policies and staff awareness was poor, and the company did not implement appropriate technical and organisational measures
- The documentation contained sensitive data which should have been “treated with the utmost care” and the company demonstrated a “highly culpable degree of negligence” and a “cavalier attitude”.
Why is this important?
The penalty notice and fine have been imposed due to the company’s failure to comply with GDPR and to “implement appropriate organisational measures to ensure appropriate security of the personal data it processes”.
The data subjects themselves were unaware and seemingly no data was lost or destroyed or seen by a third party.
This decision by the ICO demonstrates that it will impose penalties and fines where an organisation does not have appropriate policies and procedures in place and where a company cannot demonstrate implementation, staff awareness and compliance.
The future risk
An organisation either does not have the appropriate policies and procedures in place or does have the policies and procedures but has not implemented them and the ICO is contacted by:
- An employee
- A patient
- A third party
- A Regulator following a routine inspection
The first time an organisation will know they are being investigated is when the letter arrives from the ICO.
What can you do?
- Check that your organisation or business has up to date policies and procedures and these have been implemented across the organisation.
- Ensure all staff are trained at least annually
- Review whether your policies and procedures are being followed and update documentation when necessary.
For more information
If you need any advice or assistance on any data protection issues, please contact us.
Bernard Seymour: 07377 710875 | Suzanne Lurie: 07889 173767