How to avoid a £500,000 fine: Data protection, privacy breaches and housing associations

How to avoid a £500,000 fine:
Data protection, privacy
breaches and housing
associations
CHC Governance Conference, 20 February 2014
Anne Jones
Assistant Information Commissioner
The context
• Increasing amounts of data held online
• Sensitive personal data
• Greater requirement to share data
• Role of the Information Commissioner’s
Office (ICO), and increased powers
• ICO action against housing associations:• Spectrum Housing Group, Surrey
• Lewisham Homes / Wandle Housing Association
• Orbit Housing Association
Civil Monetary Penalties
• Penalty of up to £500,000 for serious breaches of
any of the eight data protection principles,
committed knowingly or recklessly
• What we will consider:– Degree of seriousness; likelihood of causing substantial
damage/distress; deliberate; knew or should have
known of the risks; any steps taken to prevent; caused
by circumstances outside your control
• Address systemic issues rather than the ‘one-off’
• Around 50 fines issued to date; 50% of these to
local authorities
How not to do it…
Examples of incidents within Wales:-
 HMP Cardiff fined £140, 000 after emailing the entire
prisoner database to member of the public
 Local authority sends details of a sensitive child protection
case to the wrong family (£130,000 fine)
 Another local authority sends council tax benefit letters
to the wrong recipients
 Police force emails information relating to 10,000
CRB checks to a member of the public
 Courier delivers 177 files of personal information from
DWP to a man in the Amman Valley
Orbit Housing Association
A case study - Orbit Housing
• During an office move, 57 files containing sensitive
tenant information went missing
• 42 were recovered, 15 remained missing
• Incident reported to the ICO; undertaking issued in
2009 requiring systems, security and training to be
put in place
• In 3 years, Orbit changed its corporate culture:• Bespoke training for different levels of staff
• Corporate policies, eg clear desks, real time data
entry
• Secure systems and tight controls
…and if it had happened in 2014???
Why should you protect personal
information?
• It’s the law…
• Enforcement action by the ICO
– Monetary penalties
– Undertakings
– Enforcement notices
– Prosecution (individuals)
• Reputation and trust
• Good practice knock on effects
• Would you like it if it was your information?
How to avoid a fine…
“Findings from ICO advisory visits to
social housing organisations”
• Report launch 20 February 2014
• ICO audit and advisory visit programme
• Challenges and good practice remedies
that we found
Report: Challenges and remedies
1. Data sharing
agreements
2. Retention schedules
3. Encryption of portable
devices
4. Remote working
5. Training and awareness
6. Physical security
7. Secure printing
8. End point control
9. Role based access
10. Monitoring
11. System access
12. Password
requirements
13. Records inventory
14. Fair processing
information
15. Data protection
leadership
16. Fax machines
17. Data protection
policies
Help is at hand!
• ICO website: www.ico.org.uk
• Findings from ICO advisory visits to social
housing organisations (ICO report, Feb 2014)
• Guide to Data Protection handbook
• A practical guide to IT security
• Codes of practice:• Employment, Data Sharing, CCTV
• Training videos
• Or, contact us directly for advice
In summary
Orbit Housing’s three final questions:“Does your company have a system for
protecting personal information?
Do your staff know their responsibility
for protecting personal information?
Do your staff care enough to protect
personal information?”
Contact us:Information Commissioner’s Office (Wales)
2nd Floor
Churchill House
Churchill Way
Cardiff CF10 2HH
Tel: 029 2067 8400
wales@ico.org.uk
Subscribe to our e-newsletter at www.ico.org.uk, or
find us on:-
www.twitter.com/iconews