This page contains information that has appeared on Sandy Adirondack's legal update website for voluntary organisations at www.sandy-a.co.uk/legal.htm. For current updates, including potential changes that are in the pipeline, see the legal update website.

These websites for each chapter update the 3rd edition of The Russell-Cooke Voluntary Sector Legal Handbook by James Sinclair Taylor and the Charity Team at Russell-Cooke Solicitors, edited by Sandy Adirondack (Directory of Social Change, 2009). The websites are not intended as a comprehensive update and should not be treated as such.

To order a copy of The Russell-Cooke Voluntary Sector Legal Handbook, print out the order form at www.sandy-a.co.uk/bookserv.htm or send an email order by clicking . It costs £60 for voluntary organisations or £90 for others, plus 10% p&p.

Chapter 43
DATA PROTECTION AND USE OF INFORMATION

DATA PROTECTION ROUND-UP

Added 17/3/10. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Lest anyone think that data protection is unimportant or does not apply to voluntary organisations: the Alzheimer's Society was in February 2010 found by the Information Commissioner to be in breach of the Data Protection Act 1998 duty to keep personal data secure, after several laptops were stolen during a burglary. The laptops were not locked away, and one contained unencrypted details of 1000 staff, including addresses and national insurance numbers. Ironically, the computers had been returned to the office for encryption.

The Society had to give an undertaking that "portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent; physical security measures are adequate to prevent unauthorised access to personal data; staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy; and the data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage". Further data protection breaches could lead to criminal prosecution.

In case you want to know what such a thing looks like, the Alzheimer's Society undertaking is at tinyurl.com/ylltcmp.

And to help ensure your organisation doesn't get into such trouble, here is some new and recent guidance.

Clearly ICT security is essential — not just in relation to data protection, but to protect all of your organisation's information. The 34-page Computanews guide to ICT security, published in October 2009, is essential reading for all organisations. It covers how to assess the risks and policies needed, how computer security is affected by people and by the environment in which it is used (including public access computers and homeworking), specific steps to secure assets (everything from passwords through to end point security and the end of the computer's life), and checklists for assessing and dealing with risks. All that — and cartoons too. Download from tinyurl.com/ykxxlm3.

The Information Commissioner's Office issued in December 2009 a plain English guide to data protection, with an explanation about each of the eight data protection principles and practical examples of how they apply in practice. The guide can be accessed via tinyurl.com/372h3z.

The Trades Union Congress has produced guidance on the law on access to medical reports that are requested by the employer. The guidance also looks at how unions and safety representatives can ensure that the rights of workers are protected. It is at www.tuc.org.uk/h_and_s/tuc-17272-f0.cfm.

The consultation on the Information Commissioner's Office's draft guidance on collecting information online closed on 5 March 2010. The guidelines include broad principles such as not being secretive or deceptive in how personal data is handled; not trying to gain an advantage by using personal data in a way that people wouldn't expect or might object to; not collecting personal data that is not needed; ensuring adequate data security; and not ignoring the laws of other countries from which personal data is collected. The consultation documents are at ico-consult.limehouse.co.uk/portal/cop/pio.

British Standard 10012 on personal information management systems, designed to ensure compliance with the Data Protection Act, was issued in May 2009 and covers issues such as training and awareness, risk assessment, data sharing, retention and disposal of data, and disclosure to third parties. It costs £50 for BSI members and £100 for others. Information is at tinyurl.com/y89wer8.

The annual fee for notification to (registration with) the Information Commissioner's Office increased to £500 on 1 October 2009, for organisations in the public, private, or non-charitable voluntary sector with annual turnover of £25.9 million or more and 250 or more staff. The fee remains £35 for all charities, regardless of size, and for public, private, or non-charitable voluntary organisations below the threshold. The Data Protection (Notification and Notification Fees)(Amendment) Regulations 2009 are at www.opsi.gov.uk/si/si2009/plain/uksi_20091677_en.

Organisations which transfer personal data outside the European Economic Area (EU + Iceland, Liechtenstein and Norway) need to be aware of a decision by the European Commission on 5 February 2010. This requires, for new contracts with outsourcing companies, written consent for processing of personal data to be sub-contracted. Useful information is available at www.out-law.com/page-8169.

SANDY ADIRONDACK
Governance and legal training and consultancy
for the voluntary sector
39 Gabriel House, 10 Odessa Street, London SE16 7HQ
Tel 020 7232 0726; fax 020 7237 8117
Email:
Web: www.sandy-a.co.uk