How to avoid a £500,000 fine: Data protection, privacy breaches and housing associations CHC Governance Conference, 20 February 2014 Anne Jones Assistant Information Commissioner The context • Increasing amounts of data held online • Sensitive personal data • Greater requirement to share data • Role of the Information Commissioner’s Office (ICO), and increased powers • ICO action against housing associations:• Spectrum Housing Group, Surrey • Lewisham Homes / Wandle Housing Association • Orbit Housing Association Civil Monetary Penalties • Penalty of up to £500,000 for serious breaches of any of the eight data protection principles, committed knowingly or recklessly • What we will consider:– Degree of seriousness; likelihood of causing substantial damage/distress; deliberate; knew or should have known of the risks; any steps taken to prevent; caused by circumstances outside your control • Address systemic issues rather than the ‘one-off’ • Around 50 fines issued to date; 50% of these to local authorities How not to do it… Examples of incidents within Wales:- HMP Cardiff fined £140, 000 after emailing the entire prisoner database to member of the public Local authority sends details of a sensitive child protection case to the wrong family (£130,000 fine) Another local authority sends council tax benefit letters to the wrong recipients Police force emails information relating to 10,000 CRB checks to a member of the public Courier delivers 177 files of personal information from DWP to a man in the Amman Valley Orbit Housing Association A case study - Orbit Housing • During an office move, 57 files containing sensitive tenant information went missing • 42 were recovered, 15 remained missing • Incident reported to the ICO; undertaking issued in 2009 requiring systems, security and training to be put in place • In 3 years, Orbit changed its corporate culture:• Bespoke training for different levels of staff • Corporate policies, eg clear desks, real time data entry • Secure systems and tight controls …and if it had happened in 2014??? Why should you protect personal information? • It’s the law… • Enforcement action by the ICO – Monetary penalties – Undertakings – Enforcement notices – Prosecution (individuals) • Reputation and trust • Good practice knock on effects • Would you like it if it was your information? How to avoid a fine… “Findings from ICO advisory visits to social housing organisations” • Report launch 20 February 2014 • ICO audit and advisory visit programme • Challenges and good practice remedies that we found Report: Challenges and remedies 1. Data sharing agreements 2. Retention schedules 3. Encryption of portable devices 4. Remote working 5. Training and awareness 6. Physical security 7. Secure printing 8. End point control 9. Role based access 10. Monitoring 11. System access 12. Password requirements 13. Records inventory 14. Fair processing information 15. Data protection leadership 16. Fax machines 17. Data protection policies Help is at hand! • ICO website: www.ico.org.uk • Findings from ICO advisory visits to social housing organisations (ICO report, Feb 2014) • Guide to Data Protection handbook • A practical guide to IT security • Codes of practice:• Employment, Data Sharing, CCTV • Training videos • Or, contact us directly for advice In summary Orbit Housing’s three final questions:“Does your company have a system for protecting personal information? Do your staff know their responsibility for protecting personal information? Do your staff care enough to protect personal information?” Contact us:Information Commissioner’s Office (Wales) 2nd Floor Churchill House Churchill Way Cardiff CF10 2HH Tel: 029 2067 8400 wales@ico.org.uk Subscribe to our e-newsletter at www.ico.org.uk, or find us on:- www.twitter.com/iconews
© Copyright 2024