The UK’s Information Commissioner’s Office (“ICO”) has published three brief lessons to be learned by organisations across the private and public sector to stay compliant with data protection law, both in the UK and the European Economic Area.
Lesson 1: Put in place policies and train staff to avoid inappropriate disclosure of personal data
The ICO has reprimanded a number of organisations for failing to put in place sufficient policies or provide adequate training. Organisations should:
- Provide sufficient data protection training for staff dealing with the disclosure and redaction of documents;
- Put in place policies to avoid personal information being displayed on electronic screens by mistake; and
- Ensure procedures are in place to protect the security of internal emails including personal information, especially special category personal data.
Lesson 2: Respond to Subject Access Requests as soon as possible
The ICO has identified that many organisations are failing to respond to Subject Access Requests within the statutory timeframe. Organisations should:
- Ensure they understand what is required in response to a Subject Access Request;
- Respond to Subject Access Requests within one month of receipt of the request (unless this deadline has been extended by two months, in cases where the request is particularly complex); and
- Take a proactive approach to dealing with Subject Access Requests, making use of the guidance issued by the ICO.
Lesson 3: Take a ‘by design and default’ approach
For any organisations planning to introduce apps, products or services using personal information:
- Take a ‘data protection by design and default’ approach from the start – meaning integrating data protection into business practices from the design stage right through the lifecycle;
- Review the systems and means of data processing in your organisation to ensure this is compliant with data protection legislation; and
- Issue data protection guidance to staff in respect of the use of any apps (and ensure staff confirm the guidance has been read and understood).
These lessons have been based on reprimands issued by the ICO between April to June of this year to the Ministry of Justice, University Hospitals Dorset NHS Foundation Trust, Plymouth City Council and more. Organisations are expected to learn from such enforcement actions so as to ensure that personal data is handled appropriately.
For any queries on data protection, please contact Hetal Ruparelia, Partner and Head of our Information Law team.