06 April, 2023
The ICO has recently announced it has issued a reprimand against a not-for-profit organisation for failing to comply with the UK GDPR's security principle.
On 03 April 2023, the ICO published a reprimand against Achieving for Children, a not-for-profit organisation, for inappropriately disclosing personal data, special category data and criminal conviction data in a report. The reprimand states that the ICO conducted an investigation into Achieving for Children and found that, "Due to a communication failure, the manager concerned did not realise on two occasions that an assessment was being sent to both the birth father and the step-father and birth mother. As a result criminal conviction data, children's data, sex life data and health data, which should have been removed or redacted, was disclosed in error".
Article 5(1)(f) of the UK GDPR states that personal data must be "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures". This is often known as the 'Data Security Principle' and organisations must ensure personal data is protected to ensure it is not disclosed inappropriately.
The ICO's investigation found that:
Throughout its investigation, the ICO found that the organisations had expectations for staff to complete work in a certain way but there was no evidence of policies or guidance documents that inform employees of these expectations. Achieving for Children are now completing ongoing work to ensure that social workers are trained on redaction and other data protection policies.
The ICO has also recommend that Achieving for Children takes the following steps to prevent such an incident from occurring again:
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
Whilst human error may have been responsible for a failure to properly redact a document, the organisation here has received a reprimand because there were insufficient documented processes and procedures to protect personal data.
For further data protection advice and support, Bethany Paliga, Senior Associate and Accredited Data Protection Practitioner in our Governance, Procurement and Information team.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here