The Alzheimer’s Society’s “disappointing attitude” to data protection criticised by the ICO
The Alzheimer's Society is not naïve to the requirements of the Data Protection Act 1998 ("DPA") or to having its policies and procedures scrutinised by the Information Commissioner's Office ("ICO"). In 2010, after several unencrypted laptops were stolen during an office burglary, the charity agreed to implement a series of security measures. Further recommendations were made by the ICO about data security following two audits of the charity in March 2013 and March 2014. The charity's website was then hacked in 2015, putting at risk a large amount of sensitive personal data and once again the ICO made a number of recommendations to the charity.
The ICO's patience with the charity appears to have run out following the ICO's most recent investigation into the charity's compliance with the DPA. According to Mr Eckersley, Head of Enforcement at the ICO, the investigation revealed "serious deficiencies in the way the Alzheimer's Society handles personal information. Some of these have been addressed, but the extent and persistence of the charity's failure to do as we've asked means we must take more formal action".
In particular, it is reported that:
- the charity failed to undertake manual checks of its website after it was hacked to detect any vulnerabilities;
- volunteers used personal email addresses to share information about people using the charity;
- unencrypted data was stored on home computers;
- volunteers were not trained in data protection; and
- personal data was kept for longer than necessary for the purpose of processing.
The ICO has served an Enforcement Notice on the charity, giving it six months to take certain steps to ensure compliance with the DPA. If the charity fails to comply with the Enforcement Notice it could face prosecution.
The comments made by the ICO to the Alzheimer's Society should act as a warning to other charities who should ensure that they too are taking appropriate steps to ensure compliance with the DPA. In particular, charities should ensure that they have in place suitable policies and procedures relating to data protection and information governance. Such policies and procedures should be brought to the attention of all staff, including volunteers, and suitable training should be provided. Appropriate organisational and technical measures should be taken to prevent the unauthorised access by staff and volunteers to personal data. Secure email accounts should be provided to any staff and volunteers who process personal data and portable and mobile devices (such as laptops) should be encrypted.
We can assist charities to review their data protection policies and procedures if required.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.