The £200,000 fine issued to the British Pregnancy Advice Service (BPAS) is the latest in a growing number of data protection breaches in the charity sector.
Data protection has become mainstream. But has your approach to data protection kept up with developments? The BPAS breach – the joint 4th highest of the 47 fines issued for serious breaches, and the publicity surrounding it – highlights the significant financial and reputational impact of poor or outdated data protection practice.
A lot has changed since 2010…
Although law since 1984, the Data Protection Act got new teeth in 2010. Serious breaches can lead to a fine of up to £500,000; less serious breaches are publicised by the Information Commissioner’s Office (ICO) and any breach can trigger media coverage and complaints.
Expectations have never been higher. Service users expect their sensitive information to be handled appropriately and securely. The public give their time, money and support to charities they trust and have confidence in. Commissioning bodies will often require assurance about data protection before awarding contracts. Anything that affects brand or reputation could affect existing or potential partnerships with corporate partners.
Fines can be issued where a breach is likely to cause substantial distress and an organisation knew (or should have known) of the risks. The harm does not actually have to materialise. As the ICO noted in the BPAS case, the breach was likely to cause substantial distress to the users of their website “even if this is simply by knowing that their confidential personal data has in fact been accessed by [someone] who had no right to see that information…[the breach was] likely to cause substantial distress even if it can be argued that substantial distress was not actually caused…”
It’s not all about hackers…
The majority of the £5m of fines have been for poor organisational approaches to managing data protection. Norwood Ravenswood were the first charity to get fined; highly sensitive information about four young children was lost after being left outside a home by one of their social workers. The following breaches by charities led to the ICO seeking public assurances that performance would improve:
- Folder containing confidential client information left in a café
- Loss of three service users’ files during an office move
- Theft of an unencrypted laptop containing sensitive personal data
- Two unencrypted memory sticks and papers containing the personal details of up to 101 individuals stolen from an employee’s home
Value personal information…
The ICO has a simple message:
“treat the personal information you are holding with respect.”
Last year, the ICO noted that
“…consumers have a strong awareness of how their data should be handled, and how this affects their relationship with businesses.” He declared 2013 as “the year that organisations will realise the commercial imperative of properly handling customer data.”
He could just as easily have been talking about charities and their donors, service users, volunteers and staff.
All charities should take three initial steps:
Recognise there is value (and risk) not only in high volumes of records or information that might typically be regarded as sensitive; there is as much need to protect and manage a single file containing the entire history of someone, and basic personal details such as name, telephone number, address and date of birth where they are held in a sensitive context (as was the case with the BPAS). Think of a personal example: if just your name and email address is on a “50 Shades of Grey fanclub” mailing list, it says something about you…and in the wrong hands, it could result in you receiving unwanted emails and attention.
Know what information your charity is collecting, storing, using and sharing (both within and outside the charity), along with a clear understanding of how these activities are being undertaken.
Implement a risk-based programme of work to deliver ongoing compliance. Risk-assess the threats you face; the Data Protection Act recognises that one size or solution does not fit all – it requires you to implement an appropriate mix of both technical and organisational measures to address the risks you face. Compliance requires action from a cross-section of key staff – for example, those responsible for IT, HR, training, facilities, contracts and operations; Trustees who can articulate the wider impact of a potential breach and managers who can monitor staff compliance.
2014 is the year…
2014 is the year to push data protection up the agenda so you can avoid the worst case scenario: a problem erupts, harming trust and reputation (and possibly those you were looking to help and protect), which then requires unplanned time, effort and cost as you “fire-fight” to bring the situation under control.
2014 should also see significant change in EU data protection law: mandatory breach notification; increased fines; further rights for individuals; privacy impact assessments and the requirement to appoint a Data Protection Officer in certain circumstances are all likely to be on the way in the near future.
Taking the three initial steps will help prepare for these changes. It will also demonstrate that your charity recognises the importance of managing personal information; that your Trustees and senior management have data protection on their agenda and are on a journey that will lead to appropriate measures being implemented to reduce the risk of a serious breach.
To find out more about Protecture and what they can offer ACEVO members, go to www.protecture.org.uk