The ICO have recently issued an enforcement notice to the Alzheimers Society for various breaches of the Data Protection Act. There are 10 issues which the Alzheimers Society has six months to remedy. Although these need to be actioned by the Alzheimers Society, they apply to all businesses processing personal information. So here is the test, how many are you already doing?
1. Information is not kept for longer than necessary. Do you have a process in place to identify information which is no longer necessary and can be destroyed? Do you have a retention policy and a secure method of destroying all information that is no longer required?
2. There is mandatory data protection training for staff (and volunteers) who have access to personal information and refresher training at least every two years.
3. The training that is undertaken is monitored and recorded. You should be able to identify the staff who have attended and what the training course covered.
4. Policies and procedures relating to data protection and information governance are brought to the attention of staff (and volunteers) who have access to personal information. Do you have comprehensive data protection policies and procedures and can you demonstrate that they have been effectively communicated to all those staff (and volunteers) who have access to personal information?
5. Portable and mobile devices including laptops, mobile phones, memory cards and other portable media used to transmit and store personal data, the loss of which could cause damage or distress to individuals are all encrypted using encryption software which meets the current standard or equivalent.
6. Secure email accounts are provided for all staff (and volunteers) who use email to transmit personal information. This means a business account is available for all staff (and volunteers) and they are not using their personal email accounts for business purposes.
7. Secure storage is available for staff (and volunteers) who need to hold hard copy records which contain personal information. Is there lockable filing space for hard copy records?
8. Penetration testing is undertaken on the website on a regular basis and any weaknesses highlighted are remedied.
9. Appropriate security is implemented to protect information from being disclosed to those who do not need to have access to it, this includes to staff members, contractors, visitors and volunteers. This includes passwords, lockable cabinets, encryption, etc.
10.Where processing of personal information is carried out your behalf, for example, by a subcontractor, (IT support, HR, payroll etc) you must have a written contract in place which clearly states that the subcontractor will take steps to protect the information from accidental loss, damage or destruction. The contract should also cover the role of the subcontractor, what they can do with the information, what happens when the information is no longer required and that they will only act on your instructions. You need to make sure that any contract you enter into clearly states the responsibility for data protection.
So what's your score? How many of the above do you need to action to protect the personal information you hold and your company's reputation?
No comments:
Post a Comment