How to avoid illegal data sharing
During 2012 and 2013 the Information Commissioner’s Office (“ICO”) undertook nine advisory visits to various social housing organisations to better understand how these organisations were processing personal data. The ICO provided guidance and advice to the organisations during the visits, and following its evaluation issued a report summarising its findings.
Although the report was based on visits to social housing organisations, the message and advice can be shared amongst, and used by, any and all organisations processing personal data. With volumes of data in circulation set to continue increasing, having effective compliance procedures in place is paramount.
The ICO pinpointed formal agreements as an important measure when sharing data with other organisations (whether during the normal course of business or otherwise). Formal data sharing agreements allow organisations to (amongst other things) stipulate when information can be shared, how it can be shared and with whom.
Remote working, which is becoming increasingly commonplace, was also identified as an area where organisations could take steps to improve their compliance procedures. Organisations should have policies dictating when remote working is appropriate and setting out what measures employees are required to comply with.
Other suggested security methods to control information, data and the movement thereof included:
- setting printers to prevent documents containing sensitive information leaving the premises;
- restriction of fax machine and USB/CD/DVD drive access;
- only allowing encrypted data onto portable devices;
- internal controls on who can access data, tailored according to an employee’s role or any links which they may have with data subjects; and
- robust ID badge/swipe card policies.
Above all, awareness amongst staff and monitoring of compliance can be crucial to ensuring an organisation is complying with its data protection obligations. Selecting a Data Protection Compliance Officer ensures that staff have a contact to speak with in the event of any questions or data subject requests. In turn, staff training and maintaining agreements, manuals, and an efficient system of policy updates are small, but hugely important steps in the grand scheme of helping organisations remain compliant. Specific measures such as a formal schedule for the disposal of data to prevent unnecessary retention should also be used.
While other organisations may not deal with the same amount of data as the social housing sector, or the same sensitive issues of disability and financial information, the ICO report highlights the key steps that can help ensure organisations are data protection compliant. Non-compliance may not only result in significant fines and bad publicity, but a loss of trust which, in an age of social media empowered consumers, can be disastrous.