ICO Issues Reprimand for Redaction Failures

The ICO has recently announced it has issued a reprimand against a not-for-profit organisation for failing to comply with the UK GDPR's security principle.

On 03 April 2023, the ICO published a reprimand against Achieving for Children, a not-for-profit organisation, for inappropriately disclosing personal data, special category data and criminal conviction data in a report. The reprimand states that the ICO conducted an investigation into Achieving for Children and found that, "Due to a communication failure, the manager concerned did not realise on two occasions that an assessment was being sent to both the birth father and the step-father and birth mother. As a result criminal conviction data, children's data, sex life data and health data, which should have been removed or redacted, was disclosed in error".

The Law

Article 5(1)(f) of the UK GDPR states that personal data must be "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures". This is often known as the 'Data Security Principle' and organisations must ensure personal data is protected to ensure it is not disclosed inappropriately.

The ICO's Findings

The ICO's investigation found that:

• Achieving for Children did not have the required organisational measures in place to ensure that an incident such as this would not occur;

• Neither the social worker responsible for sending the assessment or the manager who reviewed it, had received redaction training; and

• No policy was in place to ensure a manager reviewed redactions prior to an assessment being disclosed.

Throughout its investigation, the ICO found that the organisations had expectations for staff to complete work in a certain way but there was no evidence of policies or guidance documents that inform employees of these expectations. Achieving for Children are now completing ongoing work to ensure that social workers are trained on redaction and other data protection policies.

The ICO has also recommend that Achieving for Children takes the following steps to prevent such an incident from occurring again:

• Every employee who is expected to complete redactions should complete redaction training;

• Expectations of senior leadership must be documented in policies or guidance;

• Annual data protection and information governance training must be provided to all staff.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

Conclusion

Whilst human error may have been responsible for a failure to properly redact a document, the organisation here has received a reprimand because there were insufficient documented processes and procedures to protect personal data.

A full copy of the reprimand is available to view here.

For further data protection advice and support, Bethany Paliga, Senior Associate and Accredited Data Protection Practitioner in our Governance, Procurement and Information team.