Q1 2023/24 (April to June 2023)
As we look back at the reprimands issued in the past three months, here are three brief lessons for organisations across the public and private sectors to improve their data protection practices:
1. Avoid inappropriate disclosure of personal information by having policies in place and training your staff
We reprimanded five organisations for disclosing people’s information inappropriately in the past three months: Achieving for Children, University Hospitals Dorset NHS Foundation Trust, Ministry of Justice, Parkside Community Primary School, and Thames Valley Police.
Whether not redacting a document properly or not disposing of it correctly, or displaying personal information on an electronic screen by mistake, what we found was that most organisations did not have appropriate processes and policies in place or adequate staff training. To avoid similar incidents, organisations should:
- Review all data protection policies, procedures and guidance, including how to detect and report a personal data breach.
- Provide adequate training for staff responsible for redactions and disclosures.
- Ensure appropriate technical and organisational measures are in place to ensure the security and confidentiality of emails sent internally that include personal information, particularly when these contain sensitive or special category data.
2. Respond to information access requests on time
We reprimanded Plymouth City Council and Norfolk County Council for failing to respond to Subject Access Requests (SARs) within the statutory timeframe.
People have the right to ask organisations for a copy of their personal information. This includes where they got their information from, what they’re using it for and who they are sharing it with.
Organisations must respond to a SAR within one month of receipt of the request. However, this could be extended by up to two months if the SAR is complex.
Read our guidance on SARs so you are prepared and take a proactive approach on dealing with requests.
3. Implement a data protection by design and default approach
Sussex Police and Surrey Police were reprimanded for rolling out an app that recorded phone conversations and unlawfully captured personal information. This case is a lesson learned to any organisation planning to introduce an app, product or service that uses personal information, including:
- Development and deployment of any new apps should take a data protection by design and default approach from the very start.
- You should consider the method and means of data processing, with action taken to ensure processing is compliant with data protection law prior to the app being deployed.
- Data protection guidance should be issued to staff in respect of the use of any apps, with staff required to confirm that issued guidance has been read and understood.
As with any enforcement action, we expect organisations to improve their practices as set out in the reprimands we issue. We follow up to understand the changes organisations have made based on our recommendations. Other organisations can learn from these reprimands, so people’s information is handled appropriately.