The latest case [ http://www.ico.gov.uk/news/latest_news/2012/university-published-personal-data-in-online-training-manual-01032012.aspx ] to appear on the website of the Information Commissioners Office (ICO) shows just how easy it can be to break the law.
Last year. someone at Durham University decided to upload some training manuals on the University’s website, and included some screenshots for illustrative purposes. Unfortunately, the person used live data from the screens holding the personal details of real people, rather than coming up with fictitious names.
Furthermore it took a few months before anyone noticed the error, at which time the University duly reported the incident to the ICO. By doing so, it has avoided incurring a fine, but has had to made a public undertaking on the ICO website that it will mend its ways and change its procedures.
The undertaking details the events, but also highlights the fact that only 20% of the staff at the University had received any training in the handling of personal data. Apparently, departmental representatives had received training, and it was assumed that they would go back and spread their word amongst their colleagues. No record was kept of that happening, and clearly it did not happen in some cases.
The University has therefore now undertaken to ensure that all staff who handle personal data have the appropriate training - and importantly, it will monitor and record the fact that staff members have been trained. Documentation, we should remember, is a major part of any compliance regime.
The big lesson for any other organisation handling personal data is:
* Protect the data
* Train staff to protect the data
* Keep a log to show you’ve trained staff to protect the data
Posted: March 1st, 2012 under Uncategorized.
No Comments »
No comments yet.