Agencies who have been warned about proper data security don’t necessarily get it if Wolverhampton Council is any guide
May 30, 2014 |
Proper data security policies, programs and protocols are not a one-off event. Organisations and agencies change. They develop. At minimum such changes should involve a privacy impact assessment. Unfortunately some bodies, public and private, are frequent fliers when it comes to poor data handling practices and privacy protections. One such agency was Wolverhampton which ignored or didn’t heed warnings about its practices. That ultimately prompted the attention of the Information Commissioner’s Office and resulted in an enforcement notice.
The ICO’s press release (found here) provides:
The Information Commissioner’s Office (ICO) has ordered Wolverhampton City Council to provide adequate data protection training for its staff following a series of warnings dating back over two years.
The enforcement action follows an investigation into a data breach at the council that occurred in January 2012. The breach was caused when a social worker, who had not received data protection training, sent out a report to a former service user detailing their time in care. However, the social worker failed to remove highly sensitive information about the recipient’s sister that should not have been included.
On 20 December 2011, just before the breach, the ICO had completed an audit with the council. The audit recommended the council introduce a data protection policy, explaining how people’s information should be kept secure. It also recommended the council should provide mandatory staff training so that the policy was followed.
The policy was introduced in May 2013 with mandatory training for all staff scheduled to be completed by the end of February this year. However, the ICO has discovered the council has failed to meet this deadline with two thirds of the council’s staff (68%) still having not undertaken the training.
The council must now make sure the training is provided to all staff within 50 days, or the matter will be treated as contempt of court.
ICO Head of Enforcement, Stephen Eckersley, said:
“The lack of urgency displayed by Wolverhampton City Council is startling. Over two years ago, we reviewed the council’s practices and highlighted the need for guidance and mandatory training to help its staff keep residents’ information secure.
“Despite numerous warnings the council has failed to act, with over two thirds of its staff still remaining untrained. We have taken positive steps and acted before this situation is allowed to continue any longer and more people’s personal information is lost.”
The enforcement notice, dated 15 May and found here, provides:
| To: | Wolverhampton City Council | |
| of: | Civic Centre, St. Peter’s Square, Wolverhampton WVl | SH |
- Wolverhampton City Council is the data controller, as defined in section 1(1) of the Data Protection Act 1998 (the ‘Act’), in respect of the processing of personal data by Wolverhampton City Council and is referred to in this notice as the ‘data controller’.
- The Act came into force on 1 March 2000 and repealed the Data Protection Act 1984 (the ‘1984 Act’). By virtue of section 6( 1) of the Act, the office of the Data Protection Registrar originally established by section 3(l)(a) of the 1984 Act became known as the Data Protection Commissioner. From 30 January 2001, by virtue of section 18(1) of the Freedom of nformation Act 2000, the Data Protection Commissioner became known instead as the Information Commissioner (the ‘Commissioner’).
- The Commissioner was informed of an incident on 17 January 2012 in which confidential and highly sensitive data was disclosed in error by a social worker to a sibling who had no right to see that information. The Commissioner’s office had made an audit recommendation on 20 December 2011 that the data controller should implement a data protection policy (among other things) and that staff should then receive training on that policy.
- The Commissioner understands that the data protection policy was approved on 21 May 2013 and that compulsory training for all staff on ‘ProtectingInformation’ was due to be completed by the end of February 2014. However, as at 18 February 2014, only 32°/o of the data controller’s employees had completed the compulsory training module.
- The Commissioner has considered the data controller’s compliance with the provisions of the Act in light of these matters.In particular, he has taken note of the remedial action already taken by the data controller.
- Section 4(4) of the Act provides that, subject to section 27(1) of the Act, it is the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. The relevant provision of the Act is the Seventh Data Protection Principle.
- The Seventh Data Protection Principle provides at Part Iof Schedule 1to the Act that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Paragraph 9 of Part IIof Schedule 1to the Act further provides that:
“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to –
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.”
9. Having considered the facts of this case and the remedial action already taken by the data controller, the Commissioner is satisfied that the data controller has contravened the Seventh Data Protection Principle in that it failed to take appropriate measures to ensure the security of its data.
The Commissioner considered, as he is required to do under section 40(2) of the Act when deciding whether to serve an Enforcement Notice, whether any contravention has caused or is likely to cause any person damage or distress. The Commissioner took the view that the likelihood of distress is self evident. The individual whose confidential and highly sensitive personal data has been disclosed to an unauthorised sibling has suffered from significant distress, worry and anxiety.
10. The Commissioner has further taken account of the effect of the incorporation in English law of the European Convention on Human Rights (‘ECHR’), by virtue of the Human Rights Act 1998, in deciding whether or not to serve an Enforcement Notice.In particular, the Commissioner is mindful of the provisions of Article 8 of the ECHR in that the individual whose confidential and highly sensitive personal data was disclosed to an unauthorised sibling has the right to respect for private and family life, home and correspondence.
In view of the matters referred to above the Commissioner hereby gives notice that, in exercise of his powers under section 40 of the Act, he requires that the data controller shall within 50 days of the date of this Notice:
(1) Ensure that all staff have completed the ‘Protecting Information’ e-learning module
There is no reason for thinking some agencies have the similar cultural and systemic problems in Australia. That is certainly the case with organisations. The difference is that in the UK and the USA these instances are much more likely to be investigated and publicised. The Australian regulators have tended to be far more reticent. Until recently the Privacy Commissioner’s powers have not lent themselves to such overt actions. Now that has changed one hopes the office takes a more robust approach.
[…] Agencies who have been warned about proper data security don’t necessarily get it if Wolverham… […]