Charity data protection failings lead to regulator action

Two news items of particular relevance from data protection regulator the Information Commissioner’s Office may hold lessons for other charities.

Lack of data protection training for volunteers

ICO has found serious failings in the way volunteers at a national dementia support charity handled sensitive personal data. It has ordered The Alzheimer’s Society to take action after discovering that volunteers were using personal email addresses to receive and share information about people who use the charity, storing unencrypted data on their home computers and failing to keep paper records locked away.

The head of enforcement at ICO said

“In failing to ensure volunteers were properly supported, this charity showed a disappointing attitude towards looking after the very sensitive information that people trusted them with.”

Although the charity has made improvements since the shortcomings were identified in November 2014, the ICO has issued it with an enforcement notice because it is concerned that more needs to be done.

See Civil Society News coverage or ICO’s own news release for more.

Update: ‘Volunteering and data security: exploring challenges emerging from recent news stories’ is a short piece on the Volunteer experience in the digital age research blog, highlighting the issue of achieving data protection standards in a voluntary context.

Exposing sensitive email addresses

The Information Commissioner’s Office has fined the Bloomsbury Patient Network after it inadvertently revealed the identities of HIV patients through an email error.

The Network, which offers support to patients, sent out an email newsletter with email addresses in the ‘to’ field, rather than using the ‘bcc’ field, for 200 patients. This meant that recipients could see all the individual email addresses, and often full or partial names too.

ICO data breach news item.