This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Join our Mailing List

JOIN OUR MAILING LIST

The latest news from Devonshires, sent to you direct.

Join our mailing list and find out what we’re up to and what we think about recent events and future possibilities.

SIGN UP
All Posts
| 1 minute read

Public and private sector organisations: Three key lessons in staying data compliant published by the ICO

Exchange information and data with internet cloud technology.FTP(File Transfer Protocol) files receiver and computer backup copy. File sharing isometric. Digital system for transferring documents.

Get in touch

Avatar
Hetal Ruparelia
Partner

Get in touch

Avatar
Hetal Ruparelia
Partner

The UK’s Information Commissioner’s Office (“ICO”) has published three brief lessons to be learned by organisations across the private and public sector to stay compliant with data protection law, both in the UK and the European Economic Area. 

Lesson 1: Put in place policies and train staff to avoid inappropriate disclosure of personal data 

The ICO has reprimanded a number of organisations for failing to put in place sufficient policies or provide adequate training. Organisations should: 

  • Provide sufficient data protection training for staff dealing with the disclosure and redaction of documents; 
  • Put in place policies to avoid personal information being displayed on electronic screens by mistake; and 
  • Ensure procedures are in place to protect the security of internal emails including personal information, especially special category personal data. 

Lesson 2: Respond to Subject Access Requests as soon as possible 

The ICO has identified that many organisations are failing to respond to Subject Access Requests within the statutory timeframe. Organisations should: 

  • Ensure they understand what is required in response to a Subject Access Request;
  • Respond to Subject Access Requests within one month of receipt of the request (unless this deadline has been extended by two months, in cases where the request is particularly complex); and 
  • Take a proactive approach to dealing with Subject Access Requests, making use of the guidance issued by the ICO.  

Lesson 3: Take a ‘by design and default’ approach  

For any organisations planning to introduce apps, products or services using personal information: 

  • Take a ‘data protection by design and default’ approach from the start – meaning integrating data protection into business practices from the design stage right through the lifecycle; 
  • Review the systems and means of data processing in your organisation to ensure this is compliant with data protection legislation; and 
  • Issue data protection guidance to staff in respect of the use of any apps (and ensure staff confirm the guidance has been read and understood). 

These lessons have been based on reprimands issued by the ICO between April to June of this year to the Ministry of Justice, University Hospitals Dorset NHS Foundation Trust, Plymouth City Council and more. Organisations are expected to learn from such enforcement actions so as to ensure that personal data is handled appropriately. 

For any queries on data protection, please contact Hetal Ruparelia, Partner and Head of our Information Law team

 

Tags

housing management & property litigation, social housing, subject access requests, property management, gdpr, data protection, housing associations, registered providers, housing sector

Get in touch

Avatar
Hetal Ruparelia
Partner

Get in touch

Avatar
Hetal Ruparelia
Partner

Latest Insights