Posted: Tuesday 14 August 2012
Recently, there appears to have been a growing number of reports of organisations falling foul of the requirements of the Data Protection Act 1998 (the “Act”), and suffering financial penalties and reputational harm as a consequence.
According to an article published in the Evening Standard recently, the Information Commissioner (“ICO”) has issued 15 fines worth £1.8 million over the last 12 months. One of the larger of those fines was imposed on Torbay Care Trust after sensitive personal information relating to nearly 1,400 of its staff was published on the Devon authority's website. It is unlikely that the hike in the number of fines is because organisations are becoming more reckless with personal data, but rather because the regulator is taking a more proactive approach towards breaches of the Act. For third sector organisations, making sure you keep to the right side of the rules can be a concern.
So, last week, it was refreshing to see the ICO issue a helpful reminder to charities to have a ‘check up’ on their data protection practices. Charities frequently handle sensitive information but, because of the funding pressures prevalent in the third sector, the ICO fears charities may face difficulties when it comes to handling this information in a way which complies with the Act.
As well as urging charities to take action to improve data security, the ICO’spress release sets out five top tips for compliance with the Act, which are:-
The ICO’s press release serves as a useful reminder for charities of their data protection duties. As the ICO points out, it is important for charity trustees to remember that they are the ones who have a duty to ensure their charity complies with all legislation - including the Act. With the top penalty for a breach of the Act being a massive £500,000 it is clear that data protection should be a priority for all charities.
To help ensure compliance, there are many guides and other free resources available on the ICO’s website which should help charities to assess their data protection procedures. In addition, Morton Fraser has prepared a guide to the Act which is available here.
From our experience of advising organisations in handling data protection matters, we would suggest charities may also want to think about:-
The ICO is also keen to emphasise the support that they can offer to charities which are concerned about keeping the information they handle protected. Of particular interest is the free one day advisory visits being offered to small and medium sized organisations. To apply for an advisory visit, all a charity needs to do is email the ICO who will then consider if the charity is eligible. The purpose of this visit is for the ICO to do a check up of the organisation’s existing data protection practices. They will then prepare a report setting out their findings and giving the organisation advice on how to improve. In this way, the ICO hopes to help charities head off a breach of the Act before it happens. Charities should note that the ICO does publish the fact they have conducted an advisory visit but will only publish a summary of their report if the organisation gives them permission to do so. The various summary reports can be found here. From these, one can see that small charities (such as more recently a small nursery in Stoke on Trent, and a pregnancy crisis centre) are engaging in these visits, and the impression which the summary reports give is that the ICO’s approach is informative and proactive.
Morton Fraser’s Third Sector Team has considerable experience providing advice to charities in Scotland. The team adopts a cross-departmental approach drawing on both corporate/commercial experience and private client trust experience. For more information on the Third Sector Team, please contact Lauren Scott on 0131 247 1085 or firstname.lastname@example.org. Alternatively, if you would like to find out more about data protection, contact Samuel Price, on 0131 247 1139 or email email@example.com.