The Information
Commissioners Office has reprimanded the Alzheimer's Society for a number of
breaches of the Data Protection Act, including failing to provide regular
training to staff and volunteers on Data Protection Compliance.
The
enforcement notice states that the charity has failed to comply with two data
protection principles and has issued a set of ten action points which need to
be complied with within a period of six months.
The key
issue is that the charity has not been training its staff or volunteers on a
regular basis with regard to the requirements of the Act. This has led to
breaches of the Act, probably due to lack of knowledge. So what do you need to
do to avoid the wrath of the ICO?
All organisations
should be regularly training their staff (and volunteers) in the requirements
of the Data Protection Act at least every two years.
So what
should your training cover? As a minimum you would want to inform all staff:
- Who the Data Protection Officer
- What personal information is
- How information should be collected, stored and destroyed
- The time-scales for destruction (i.e. a retention policy)
- An awareness of the checks they should be undertaking before providing information to someone (Subject Access Requests)
- How to ensure that sharing information via email is carried out securely
- The constraints on using their own devices for work purposes.
An
organisation should also have policies and procedures to support these
elements. Remember, these are THE BASICS!
Any
training undertaken should be recorded as to what the training covered, who
attended and the date. You will need to keep these records in case of an issue
with the ICO at a later date. Showing that you have trained the staff (and volunteers)
on a regular basis shows a commitment to compliance with the Act.
If you
have any questions or want to run a training session for your staff, we run in
house courses tailored to your needs, so please contact me.
No comments:
Post a Comment