.

Data Protection

Compliance with Data Protection is important to get right as lost data costs heavy fines and is damaging to an organisation's reputation and continuity.


Password 'fido' ...item 3b.. Five Characters in Search of an Exit -- The Twilight Zone (December 22, 1961)

Password 'fido' ...item 3b.. Five Characters in Search of an Exit -- The Twilight Zone (December 22, 1961) (Photo: Marsmettnn Tallahassee)

When organisations think about the Data Protection Act, they often ask if there is a template policy they can adopt. This article will get you started on the basics of putting together a policy and adopting good practice.

Data Protection is not about following a fixed set of rules which are the same for everyone; it’s about complying with the eight Principles of the Data Protection Act. These Principles are very general. In any given situation there are probably several courses of action that would be equally compliant. Which one you choose depends on how your organisation works, what kind of clients you work with, and so on.

Compliance with Data Protection is important to get right as not only is lost data is damaging to business reputation and continuity, but the Information Commissioner's Office (ICO) is starting to fine organisations heavily for breaches. 

From the 2013 Information Security Breaches Survey:

  • breaches experienced by 60% of SMEs;
  • £35,000 to £65,000 is the average cost to a small business of its worst security breach of the year;
  • 36% of the worst security breaches in the year were caused by inadvertent human error (and a further 10% by deliberate misuse of systems by staff);
  • 57% of small businesses suffered staff-related security breaches in the last year (up from 45% a year ago).


IMPORTANT NOTE - Should you suspect a data security breach or need to report a loss of personal data, see these pages from the ICO. All health service organisations and voluntary sector partners in England must now use the NHS IG (Information Governance) Toolkit Incident Reporting System. This will report IG SIRI (Serious Incident Requiring Investigation) to the Health and Social Care Information Centre (HSCIC), Department of Health, ICO and other regulators.


Compliance

Everyone who is responsible for using data has to follow strict rules called ‘data protection principles’, which are neatly summarised on the Out-Law website

Organisations must make sure the information is:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • handled according to people’s data protection rights
  • kept safe and secure
  • not transferred outside the UK without adequate protection

All organisations must adhere to these principles, in addition some types of organisation and profit making enterprises will also need to register (or notify) the ICO of the fact that they are holding members or customers data. To find out if you need to register this quick online self assessment test will let you know. 

In addition there is a section on the NHS Information Governance Toolkit that outlines the requirements specifically for voluntary sector organisations that provide social care services. It covers Data Management, Confidentiality and Data Protection, Information Security and Clinical Assurance. 


Framework

The Data Protection Policy Framework Document (152 Kb RTF) contains suggested headings, topics and sample text which will be applicable for a typical Data Protection Policy for a voluntary sector organisation. For convenience, the framework is split into 10 main areas which are then subdivided. These areas are:

  • Introduction
  • Responsibilities
  • Confidentiality
  • Security
  • Data recording and storage
  • Subject access
  • Transparency
  • Consent
  • Direct marketing
  • Staff training & acceptance of responsibilities


ICO guidance

The ICO publishes a wide range of leaflets, briefing notes, guides and training materials free of charge for both individuals and organisations.

The HSCIC (Health & Social Care Information Centre) on-line learning toolkit will help you work through your organisation's Information Governance compliance. (Account Registration required).

report published by the ICO in January 2015 has highlighted some of the problems connected to data protection and information security in small charities. The 'areas for improvement' list (starting on page 10) could be useful Action Plan for an organisation. See how many you can tick off! (Direct link to download the report here - 220kb PDF).


Resources

Download: The Data Protection Policy Framework Document (152 Kb RTF) contains suggested headings, topics and sample text which will be applicable for a typical Data Protection Policy for a voluntary sector organisation.

Download: A simple Data Protection Checklist and Policy, which contains advice an organisation should consider which drafting a policy, also includes a list of the 8 Data Protection Principles.

Guidance: The Information Commissioner's Office has guidance specific to charities and health organisations.

Guidance: Cyber security: what small businesses need to know

Guidance: FREE printed publications request page and download links from the Information Commissioner's Office (ICO) and the 'THINK PRIVACY' Toolkit for Charities

Report: 2013 Information Security Breaches Survey

Publication: Data Protection for Voluntary Organisations, Paul Ticher

With thanks and acknowledgements to Paul Ticher, this article is an updated and abridged version of on an earlier Lasa ICT Knowledgebase article, 'Data Protection Policies'.


Events

Paul Ticher also runs regular webinars for voluntary sector organisations on Data Protection and Data Security. See the list of upcoming broadcasts here.

Technology & social care e-bulletin

Connecting Care issues a monthly e-bulletin rounding up the latest technology and social care stories for providers of adult and social care. It's free for anyone interested in technology and adult social care.

Subscribe to the e-bulletin…

Twitter