ICO Issues Reprimand for Redaction Failures

Bethany Paliga
Bethany Paliga

Published: April 6th, 2023

7 min read

The ICO has recently announced it has issued a reprimand against a not-for-profit organisation for failing to comply with the UK GDPR's security principle.

On 03 April 2023, the ICO published a reprimand against Achieving for Children, a not-for-profit organisation, for inappropriately disclosing personal data, special category data and criminal conviction data in a report. The reprimand states that the ICO conducted an investigation into Achieving for Children and found that, "Due to a communication failure, the manager concerned did not realise on two occasions that an assessment was being sent to both the birth father and the step-father and birth mother. As a result criminal conviction data, children's data, sex life data and health data, which should have been removed or redacted, was disclosed in error".

The Law

Article 5(1)(f) of the UK GDPR states that personal data must be "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures". This is often known as the 'Data Security Principle' and organisations must ensure personal data is protected to ensure it is not disclosed inappropriately.

The ICO's Findings

The ICO's investigation found that:

  • Achieving for Children did not have the required organisational measures in place to ensure that an incident such as this would not occur;
  • Neither the social worker responsible for sending the assessment or the manager who reviewed it, had received redaction training; and
  • No policy was in place to ensure a manager reviewed redactions prior to an assessment being disclosed.

Throughout its investigation, the ICO found that the organisations had expectations for staff to complete work in a certain way but there was no evidence of policies or guidance documents that inform employees of these expectations. Achieving for Children are now completing ongoing work to ensure that social workers are trained on redaction and other data protection policies.

The ICO has also recommend that Achieving for Children takes the following steps to prevent such an incident from occurring again:

  • Every employee who is expected to complete redactions should complete redaction training;
  • Expectations of senior leadership must be documented in policies or guidance;
  • Annual data protection and information governance training must be provided to all staff.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

Conclusion

Whilst human error may have been responsible for a failure to properly redact a document, the organisation here has received a reprimand because there were insufficient documented processes and procedures to protect personal data.

A full copy of the reprimand is available to view here.

For further data protection advice and support, Bethany Paliga, Senior Associate and Accredited Data Protection Practitioner in our Governance, Procurement and Information team.


For further information please contact Bethany Paliga

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here. Authorised and regulated by the Financial Conduct Authority.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.