Steps for Third Sector to avoid data destruction fines and reputational risks

After a family planning charity was fined for breaching data protection laws, Julie Pickersgill urges voluntary sector organisations to ensure safe storage and disposal of confidential information.

julie pickersgill

Julie Pickersgill, operations director of computer hardware and data destruction specialist Advanced Digital Dynamics (ADD) Ltd, stresses the importance of setting up robust systems to store and destroy confidential data.   

The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has stepped up its scrutiny of smaller organisations including charities – imposing the six figure fine on the British Pregnancy Advice Service after a hacker obtained confidential data from the charity’s website.  

The charity had stored names, email addresses and telephone numbers insecurely on its website – and for five years longer than was necessary.

Julie Pickersgill commented: “Localisation of health and social care services means that increasing numbers of charities and Third Sector organisations are delivering frontline services which has seen them embracing technological advances to manage, store and share sensitive information, including patients’ records.  However, as this latest fine shows, many are failing to understand the legal obligations they have to protect information they hold under the Data Protection Act.   

“They are risking not only their reputation, but also huge financial penalties as the ICO can issue fines of up to £500,000 for serious breaches of the data laws. Such enormous penalties could force smaller charities to fold.”  

Large public sector organisations have proven to be long-standing targets for the government’s regulator. The NHS lost track of at least 1.8m patient records in the year to June 2012 and was subject to nearly £1million in fines by the ICO during the first six months of that year. More recently NHS Surrey was fined £200,000 after thousands of patient records were found on a second-hand NHS computer that was auctioned on eBay.   

The British Pregnancy Advice Service is not the only charity to fall foul of the ICO. Two years ago social care charity Norwood Ravenswood Ltd was fined £70,000 after confidential information about four children went missing after it was left outside a house in London. An Information Commissioner's Office inquiry revealed that the charity had not fully trained its employees.  

The ICO recently highlighted a 25 per cent increase in the number of breaches reported to its office between April and December 2013, and, while the biggest offenders continue to be public sector organisations such as education, the health sector and local government; general businesses and charities account for a significant number of such transgressions.    

Data destruction and IT asset disposal are both heavily regulated and complex areas and an ever increasing reliance on digital services both at work and at home brings a responsibility to ensure personal data is handled correctly – with failure to comply bringing serious implications.  

This was reinforced earlier this year when Kent Police were fined £100,000 after highly sensitive and confidential information, including copies of police interview tapes, were discarded in the basement of a former police station. The items included documents and video/audio tapes which contained confidential and sensitive data about a significant number of individuals. The items were discovered by the new owner of the building and only came to light during an unrelated police search.  

The ICO considered that the breach was “serious” and that the imposition of a £100,000 monetary penalty was appropriate.  

So how can charities ensure that they are fully compliant?    ·        

- The simplest way to limit the risk is only to collect information that you need, and to remove data when it is no longer required. 

- Put someone senior in overall charge of the process so that they can ensure that all areas of the organisation understand the responsibilities and possible consequences of poor security procedures.  ·        

- Regular staff training for key people on information security is vitally important and, if charities are in any doubt, they should use a specialist to deliver the training programme.  

- Avoid using ‘free recycling’ services to remove redundant equipment as it can be difficult to monitor whether correct data destruction procedures have been followed.  A reputable service provider will recuperate the costs of the data destruction and disposal by selling or recycling the unwanted equipment.

Diligently check all third party credentials to ensure that you are confident about their systems and their personnel. Remember that you are liable if any breaches occur.

- Wherever possible, destroy data onsite rather than offsite, as it enables you to oversee the process and minimise the risk of a breach.  Redundant equipment should also be securely stored prior to disposal. ·        

- All organisations, regardless of their size, should keep detailed records of any equipment that is marked for removal and make a note of what data it held.  Should a breach then occur, you can demonstrate that you used due diligence.  

Implementing strong data handling and disposal practices makes good business sense as increasing numbers of charities look to deliver public sector contracts to secure much needed revenue.  It ensures that the information you hold is both relevant and accurate, which in turn will save you money, enhance your reputation and limit your risk of breaching the data laws.

Comments (0)

Add a Comment

Allowed tags: <b><i><br>