Charities on ICO radar – 32 charities visited

The Information Commissioner’s Office (ICO) occupies two roles: alongside their powers to enforce compliance and fine organisations for serious breaches of data protection (their ‘stick’ role) they offer informal visits to review how organisations are handling personal information and publish helpful summaries for others to note and use (their ‘carrot’ role).

The ICO has published a summary of what they found when 32 charities invited them in.
Click here to view

Good practice was found in the following areas

  • Physical and building security – e.g. swipe card access; lockable filing cabinets.
  • Use of confidential waste bins and shredding.
  • Informing customers about how their personal information will be used.
  • Controlled access to IT systems – based on job role and a ‘need to know.’

Areas for improvement

  • Only 1 in 4 had a formal policy setting out (i) data protection procedures (ii) roles and responsibilities.
    • Risks: Staff and volunteers lack clarity on (i) what is expected of them day-to-day when handling personal information and (ii) who is responsible for what (e.g. implementing controls; agreeing decisions on sharing personal information).
  • Over half lacked measures to review personal information and dispose of it when no longer required.
    • Risks: The information will become out of date (inaccurate), is a security risk and could be requested by someone. You will therefore use resources to address these risks despite not needing the information.
  • Nearly 1 in 4 lacked remote working procedures.
    • Risks: Personal information is not handled securely when outside the office; staff and volunteers do not know what steps to take to reduce the risks.
  • Nearly 1 in 4 lacked procedures for using fax machines and printers securely.
    • Risks: Human error is a significant risk; without clear procedures and/or technical measures (like pin-coded printing) the organisation (rather than the employee) will be found at fault for any error.

Protecture concludes:

  • There were more “areas for improvement” than “good practice” in the charities visited.
  • Policies must be in place to support the technical measures you may have adopted.
  • You need to be able to demonstrate that you have taken reasonable measures to reduce the risk of a security breach; the following areas were highlighted:
  • Remote working – Define steps to be taken to maintain security when staff are working away from the office.
  • Clear desk – Define what should happen to personal information when staff are away from their desk or at the end of the day. This will reduce the risk of personal information being accessed internally by staff who have no need to access it (e.g. colleagues from other teams; cleaners or security staff) or externally (i.e. in the event of a break in).
  • Secure use of fax and printing – Define procedures and ensure all staff know about them and follow them.
  • Complex passwords – Define, either technically or by policy, the requirement to have complex passwords. This will reduce the risk of security being breached, either internally (i.e. staff using or guessing a colleague’s password to access information) or externally (i.e. by someone attempting to log in as a member of staff).
  • Retention of information – Define a retention schedule or some other means of consistently reviewing personal information and disposing of it when no longer required.
  • Annual refresher training – Ensure staff know how important managing personal information is, and keep them informed of policies and procedures.