SANDY ADIRONDACK
Legal and governance training and consultancy
for the voluntary sector
OTHER CHAPTERS
I. THE ORGANISATION

Ch.1: Setting up an organisation
Ch.2: Unincorporated organisations
Ch.3: Incorporated organisations
Ch.4: Charitable status, charity law & regulation
Ch.5: The organisation's objects
Ch.6: The organisation's name
Ch.7: The governing document
Ch.8: Registering as a charity
Ch.9: Branches, subsidiaries & group structures
Ch.10: Changing legal form
Ch.11: Collaborative working, partnerships and mergers
II. GOVERNANCE
Ch.12: Members of the organisation
Ch.13: Members of the governing body
Ch.14: Officers, committees & sub-committees
Ch.15: Duties & powers of the governing body
Ch.16: Restrictions on payments & benefits
Ch.17: The registered office & other premises
Ch.18: Communication & paperwork
Ch.19: Meetings, resolutions & decision making
Ch.20: Assets & agency
Ch.21: Contracts & contract law
Ch.22: Risk & liability
Ch.23: Insurance
Ch.24: Financial difficulties & winding up
III. EMPLOYEES, WORKERS, VOLUNTEERS & OTHER STAFF
Ch.25: Employees & other workers
Ch.26: Rights, duties & the contract of employment
Ch.27: Model contract of employment
Ch.28: Equal opportunities in employment
Ch.29: Taking on new employees
Ch.30: Pay & pensions
Ch.31: Working time, time off & leave
Ch.32: Rights of parents & carers
Ch.33: Disciplinary matters, grievances & whistleblowing
Ch.34: Termination of employment
Ch.35: Redundancy
Ch.36: Employer-employee relations
Ch.37: Employment claims & settlement
Ch.38: Self employed & other contractors
Ch.39: Volunteers
IV. SERVICES & ACTIVITIES
Ch.40: Health & safety
Ch.41: Safeguarding children & vulnerable adults
Ch.42: Equal opportunities: goods, services & facilities
Ch.44: Intellectual property
Ch.45: Publications, publicity & the internet
Ch.46: Campaigning & political activities
Ch.47: Public events, entertainment & licensing
V. FUNDING & FUNDRAISING
Ch.48: Funding & fundraising: General rules
Ch.49: Fundraising activities
Ch.50: Tax-effective giving
Ch.51: Trading & social enterprise
Ch.52: Contracts & service agreements
VI. FINANCE
Ch.53: Financial procedures & security
Ch.54: Annual accounts, reports & returns
Ch.55: Auditors & independent examiners
Ch.56: Corporation tax, income tax & capital gains tax
Ch.57: Value added tax
Ch.58: Investment & reserves
Ch.59: Borrowing
VII. PROPERTY
Ch.60: Land ownership & tenure
Ch.61: Acquiring & disposing of property
Ch.62: Business leases
Ch.63: Property management & the environment
VIII. BACKGROUND TO THE LAW
Ch.64: How the law works
Ch.65: Dispute resolution & litigation
UPDATED INFORMATION FOR CHAPTER 43:
THE RUSSELL-COOKE
VOLUNTARY SECTOR LEGAL HANDBOOK

This page contains information that has appeared on Sandy Adirondack's legal update website for voluntary organisations at www.sandy-a.co.uk/legal.htm. For current updates, including potential changes that are in the pipeline, see the legal update website.

These websites for each chapter update the 3rd edition of The Russell-Cooke Voluntary Sector Legal Handbook by James Sinclair Taylor and the Charity Team at Russell-Cooke Solicitors, edited by Sandy Adirondack (Directory of Social Change, 2009). The websites are not intended as a comprehensive update and should not be treated as such.

To order a copy of The Russell-Cooke Voluntary Sector Legal Handbook, print out the order form at www.sandy-a.co.uk/bookserv.htm or send an email order by clicking . It costs £60 for voluntary organisations or £90 for others, plus 10% p&p.

To avoid spamming, an email address is not given on screen. If you can't see the word 'here' or have trouble sending an email by clicking on it, the address is bookservice at sandy-a.co.uk, with the spaces and 'at' replaced by the @ symbol.

The information here covers the law applicable to England and Wales. It may not apply in Northern Ireland and/or Scotland. These news items are not a full or definitive statement of the law and are not intended as a substitute for professional legal advice. No responsibility for loss occasioned as a result of any person acting or refraining from acting can be taken by the author.


Chapter 43
DATA PROTECTION AND USE OF INFORMATION


The items below formerly appeared on the legal update website for voluntary organisations and are archived here. The content may be out of date and links may not work. For current updates to the chapter, see the legal update website for voluntary organisations at www.sandy-a.co.uk/managing.htm.


FREEDOM OF INFORMATION ACT: PUBLIC AUTHORITIES

Updated 19/12/11. This information updates s.43.2 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Ministry of Justice announced in January 2011 that it would extend the Freedom of Information Act (FOIA) to cover more bodies, including the Association of Chief Police Officers, the Financial Services Ombudsman and higher education admissions body UCAS, and would consult on bringing examination boards, some school inspectorates, the Local Government Association and some other bodies within the Act. The MoJ confirmed that although some specific named charities are covered under the FoIA, there is still no intention to extend FOIA to all charities, or to all contractors that provide services on behalf of public authorities.

In Scotland, the Scottish government consulted until November 2010 on proposals to extend the FOI (Scotland) Act 2002 (FOISA) to cover some contractors and other bodies that provide public services, such as trusts created by local authorities operating leisure and cultural facilities, or companies which run prisons and prison escort services, or which build and/or maintain schools. The consultation documents can be accessed via tinyurl.com/yzqx9en. The outcome of this consultation could mean that the FOIA and FOISA end up with different definitions of public authorities and "functions of a public nature".

Even if an organisation is not subject to FOIA or FOISA, information provided to a public body, for example as part of contract tender documents or monitoring of services, may need to be disclosed by the public body in response to a FOIA or FOISA request for information. And in some very specific cases, a court might find that a charity providing services on behalf of a public body is itself directly subject to the FOIA.


USING THE FREEDOM OF INFORMATION ACT FOR CAMPAIGNING

Added 19/12/11. This information updates s.43.2 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The National Council for Voluntary Organisations published in October 2010 a guide to using the Freedom of Information Act for campaigning at local and national levels. Voicing your right to know: A guide to using the FOIA in campaigning gives examples of how voluntary organisations have used to Act to obtain statistics and other information which can help in campaigning, and is at www.ncvo-vol.org.uk/yourrighttoknow. There's a summary of key points on the Guardian's Voluntary Sector Network at tinyurl.com/7bz8ock.


DISCLOSURE OF PERSONAL DATA IN FREEDOM OF INFORMATION & ENVIRONMENTAL INFORMATION REQUESTS

Added 19/12/11. This information adds a new s.43.2.3 ∧ 43.3.1 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Personal data as defined under the Data Protection Act is in most cases exempt from the Freedom of Information Act and the Environmental Information Regulations, and generally cannot be disclosed by public authorities in responding to a request under the FOIA or EIR. The intention of this exemption is to protect individuals’ privacy. However there are some exceptions, and organisations faced with a request which could involve disclosure of personal data should take specialist advice.

The Information Commissioner's Office issued updated guidance for these situations in March 2011. There is no direct link but it can be accessed from the ICO website via tinyurl.com/3f6fa57, then click on "Exemptions - freedom of information" then on "Section 40: personal information".


USING THE AUDIT COMMISSION ACT TO OBTAIN INFORMATION

Added 19/12/11. This information adds a new s.43.2.5 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Freedom of Information Act exemptions allow public authorities not to disclose, in some situations, information whose disclosure would prejudice the authority's commercial interests, and some confidential information. But under s.15 of the Audit Commission Act 1998 local authorities (but not other public bodies) are required to allow an individual or corporate local taxpayer to inspect and copy the "books, deeds, contracts, bills, vouchers and receipts" that relate to the local authority's audited accounts.

In Veolia ES Nottinghamshire Ltd v Nottinghamshire County Council, the court of appeal ruled in October 2010 that the Audit Commission Act requirement overrode the local authority's duty of confidentiality to Veolia, and contract details had to be disclosed to a local taxpayer who requested them. The decision is at www.bailii.org/ew/cases/EWCA/Civ/2010/1214.html.

While this allows organisations and individuals to access information about local authority contracts that would otherwise be unavailable, Unity Trust Bank has warned in a newsletter that "this case highlights one of the risks involved in contracting with local authorities and this should be borne in mind when considering whether to bid for these type of contracts".

Details of how to request information are in the Bates Wells & Braithwaite Charity and Social Enterprise Law Update, summer 2011, on p.14 at www.bwbllp.com/Files/Updates/CharityUpdateSummer2011.pdf.


DATA PROTECTION RESOURCES

Added 28/4/13. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Information Commissioner's Office (ICO), which oversees data protection implementation and enforcement, provides one-day advisory visits for small and medium-sized charities and other voluntary organisations. The visits focus primarily on data security, records management and dealing with requests for personal data, but are tailored to each organisation and offer practical advice on improving data protection practices. Information about the visits and how to request one is at tinyurl.com/ct9694a.

Voluntary sector data protection expert Paul Ticher provides free or low-cost webinars (internet seminars) on data protection. Details and registration are at www.paulticher.com.

The ICO website at www.ico.gov.uk has detailed information about the Data Protection Act 1998 and related regulations. There are separate sections for organisations about their duties under the act, along with codes of practice and good practice guidance, and for individuals who may want to make a subject access request to see personal data held about them. New or recently revised ICO resources include:

  • Bring your own device (BYOD), March 2013. This guidance covers the security vulnerabilities and other data protection concerns that can arise when employers permit employees to connect their personal computing devices (smart phones, tablets, laptops etc) to the organisation's IT systems. It is at tinyurl.com/br5xjhw.

  • Draft subject access code of practice, November 2012. In 2011/12 the ICO handled nearly 6,000 complaints from individuals unhappy that organisations were denying them their statutory right to view information held about them. A new code of practice, to be published in spring 2013, aims to explain individuals' rights to subject access and organisations' legal responsibilities. Consultation on the draft code took place from 29 November 2012 to 21 February 2013. The draft code is at tinyurl.com/btmaefa, with the consultation questions at tinyurl.com/ckd2aqs.

  • IT asset disposal for organisations, November 2012. This guidance is intended to help organisations securely dispose of their IT equipment. It includes what they need to consider when disposing of electronic equipment that may contain personal data, the use of asset disposal registers, and the arrangements that need to be in place when contracting IT disposal work to another company. It is at tinyurl.com/csqfqme.

  • Anonymisation, November 2012. This code of practice and summary of the code cover the steps an organisation can take to ensure that anonymisation is conducted effectively, while retaining useful data. It is at tinyurl.com/con63ya.

  • Cloud computing, September 2012. The guide includes questions and approaches an organisation should consider, in conjunction with a prospective cloud provider, in order to ensure that the processing of personal data done in the cloud complies with the Data Protection Act. It is at tinyurl.com/cnvgrmc.

  • Practical guide to IT security, April 2012. A short guidance briefing, intended for small business but just as relevant to voluntary organisations. It covers using a layer approach to security; securing data on the move; keeping the organisation and its systems up to date; and keeping an eye out for problems. It is at tinyurl.com/bnlpnhn.

THE TOP FIVE DATA PROTECTION ISSUES FOR VOLUNTARY ORGANISATIONS

Added 28/4/13. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Information Commissioner's Office published in August 2012 its top five data protection areas for improvement for small and medium sized charities and other voluntary organisations, which may not have the resources to hire dedicated information specialists but often handle extremely sensitive information such as individuals' medical details. Failure to comply with data protection requirements in relation to such data could lead to a monetary penalty of up to £500,000.

The five areas identified by the ICO are:

  1. Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.

  2. Make sure your staff are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff. The ICO has a training checklist for small and medium sized organisations at www.tinyurl.com/d7xvzzo.

  3. Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.

  4. Encrypt all portable devices. Make sure all portable devices — such as memory sticks and laptops — used to store personal information are encrypted.

  5. Only keep people's information for as long as necessary. Make sure your organisation has established retention periods in place, and set up a process for deleting personal information once it is no longer required.
In the spring 2013 issue of their Charity and social enterprise law update, Bates Wells and Braithwaite solicitors added three more tips:
  • Archived or backed-up data is still personal data and needs the meet all the same legal requirements.
  • "Encrypt" (as referred to in the ICO's advice) means more than just password protection. Many of the penalties levied by the ICO are imposed where information is not properly encrypted (see Data protection breaches: Could it happen to you?, below).
  • Ensure your organisation has an up to date date protection policy. If the ICO investigates a complaint or a breach of the Data Protection Act, a failure to have a data protection policy in place is likely to result in tougher sanctions.
The ICO's more detailed guidance for charities is at www.tinyurl.com/bvmalgx. The checklist for small businesses at tinyurl.com/cxhxynq may also be useful.

The ICO offers free one-day advisory visits — for information see data protection resources above.

DATA PROTECTION ROUND-UP

Added 17/3/10. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Lest anyone think that data protection is unimportant or does not apply to voluntary organisations: the Alzheimer's Society was in February 2010 found by the Information Commissioner to be in breach of the Data Protection Act 1998 duty to keep personal data secure, after several laptops were stolen during a burglary. The laptops were not locked away, and one contained unencrypted details of 1000 staff, including addresses and national insurance numbers. Ironically, the computers had been returned to the office for encryption.

The Society had to give an undertaking that "portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent; physical security measures are adequate to prevent unauthorised access to personal data; staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy; and the data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage". Further data protection breaches could lead to criminal prosecution.

In case you want to know what such a thing looks like, the Alzheimer's Society undertaking is at tinyurl.com/ylltcmp.

And to help ensure your organisation doesn't get into such trouble, here is some new and recent guidance.

Clearly ICT security is essential — not just in relation to data protection, but to protect all of your organisation's information. The 34-page Computanews guide to ICT security, published in October 2009, is essential reading for all organisations. It covers how to assess the risks and policies needed, how computer security is affected by people and by the environment in which it is used (including public access computers and homeworking), specific steps to secure assets (everything from passwords through to end point security and the end of the computer's life), and checklists for assessing and dealing with risks. All that — and cartoons too. Download from tinyurl.com/ykxxlm3.

The Information Commissioner's Office issued in December 2009 a plain English guide to data protection, with an explanation about each of the eight data protection principles and practical examples of how they apply in practice. The guide can be accessed via tinyurl.com/372h3z.

The Trades Union Congress has produced guidance on the law on access to medical reports that are requested by the employer. The guidance also looks at how unions and safety representatives can ensure that the rights of workers are protected. It is at www.tuc.org.uk/h_and_s/tuc-17272-f0.cfm.

The consultation on the Information Commissioner's Office's draft guidance on collecting information online closed on 5 March 2010. The guidelines include broad principles such as not being secretive or deceptive in how personal data is handled; not trying to gain an advantage by using personal data in a way that people wouldn't expect or might object to; not collecting personal data that is not needed; ensuring adequate data security; and not ignoring the laws of other countries from which personal data is collected. The consultation documents are at ico-consult.limehouse.co.uk/portal/cop/pio.

British Standard 10012 on personal information management systems, designed to ensure compliance with the Data Protection Act, was issued in May 2009 and covers issues such as training and awareness, risk assessment, data sharing, retention and disposal of data, and disclosure to third parties. It costs £50 for BSI members and £100 for others. Information is at tinyurl.com/y89wer8.

The annual fee for notification to (registration with) the Information Commissioner's Office increased to £500 on 1 October 2009, for organisations in the public, private, or non-charitable voluntary sector with annual turnover of £25.9 million or more and 250 or more staff. The fee remains £35 for all charities, regardless of size, and for public, private, or non-charitable voluntary organisations below the threshold. The Data Protection (Notification and Notification Fees)(Amendment) Regulations 2009 are at www.opsi.gov.uk/si/si2009/plain/uksi_20091677_en.

Organisations which transfer personal data outside the European Economic Area (EU + Iceland, Liechtenstein and Norway) need to be aware of a decision by the European Commission on 5 February 2010. This requires, for new contracts with outsourcing companies, written consent for processing of personal data to be sub-contracted. Useful information is available at www.out-law.com/page-8169.


NEW PENALTIES FOR BREACH OF DATA PROTECTION

Added 4/4/10. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
From 6 April 2010 the Information Commissioner's Office has new powers to impose penalties of up to £500,000 for serious breaches of one or more of the eight principles of data protection law. A monetary penalty can be imposed only if the breach was of a kind likely to cause substantial damage or substantial distress, and either the breach was deliberate or the data controller knew or ought to have known there was a risk of serious breach and failed to take reasonable steps to prevent it.

The power to impose penalties is is ss.55A-55E of the Data Protection Act 1998, inserted by the Criminal Justice and Immigration Act 2008 s.144 (www.opsi.gov.uk/acts/acts2008/ukpga_20080004_en_1).


IMPLIED CONSENT FOR COOKIES

Updated 28/4/13. This information updates s.43.3.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Under the Privacy & Electronic Communications (EC Directive) Regulations 2003, organisations which use "cookies" and similar tracking devices which store information about visitors to a website must provide information about the use of cookies and allow individuals to refuse them. Under amendments to the regulations which came into effect on 26 May 2011 (but were not enforced in the UK until 26 May 2012) this is no longer enough; now, in nearly all cases, visitors must opt in by giving "informed consent" to the cookies.

The initial view was that informed consent would have to be explicit. But a few days before the grace period ended in May 2012, the Information Commissioner's Office said that consent could be implied rather than explicit, provided that the implied consent is based on information that is "sufficiently full and intelligible" to allow users to clearly understand the potential consequences of accepting the cookies. Implied consent cannot be used for collection and storage of information defined as sensitive under the Data Protection Act 1998, such as health information, where the legislation requires explicit consent.

Many websites now show a banner or pop-up when a person first accesses a website, explaining that cookies are used and asking the user to click to accept cookies, or saying that the user will be considered to have accepted cookies if they continue to use the website. Alternatively there will simply be a statement on the home page that the website uses cookies and continued use indicates an acceptance of cookies on the site. Regardless of how consent is obtained and whether it is implied or explicit, there will then be, either in the banner or elsewhere on the home page, links to the organisation's privacy statement and an explanation of the cookies it uses. For examples, see the Information Commissioner's Office's own pages at www.ico.org.uk/Global/privacy_statement and www.ico.org.uk/Global/cookies.

Information about all aspects of the rules on cookies is on the ICO's cookies page at tinyurl.com/cvl5xjv and in its detailed guidance on the use of cookies, issued in May 2012, at tinyurl.com/ce6r9bw.

Russell-Cooke solicitors has a straightforward briefing on the rules and obtaining consent, at tinyurl.com/brrwjo3.

The Privacy and Electronic Regulations (EC Directive)(Amendment) Regulations 2011 are at www.legislation.gov.uk/uksi/2011/1208/contents/made.


DATA PROTECTION BREACHES: COULD IT HAPPEN TO YOU?

Updated 28/4/13. This information updates s.43.3.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Since 6 April 2010 the Information Commissioner's Office has been able to impose monetary penalties (fines) of up to £500,000 if a breach of one or more of the eight data protection principles is likely to cause substantial damage or substantial distress, and either the breach was deliberate or the data controller knew or ought to have known there was a risk of serious breach and failed to take reasonable steps to prevent it.

The following monetary penalties were imposed in the year from April 2012 to March 2013. Two of the penalties were served on registered charities: £70,000 to Norwood Ravenswood and £150,000 to the Nursing and Midwifery Council. For details see below under Loss of personal data.

Personal data sent to the wrong person

  • Aneurin Bevan Health Board, Wales, £70,000, April 2012. As a result of a consultant spelling a patient's name incorrectly and not giving enough information for the secretary to identify the correct patient, a report containing explicit details relating to the patient’s health was sent to a former patient with a similar name. The ICO found that adequate checks were not in place to ensure that personal information was sent to the right person. This was the first monetary penalty served by the ICO on an NHS organisation. ICO news release tinyurl.com/bw4b4po.

  • Central London Community Healthcare NHS Trust, £90,000, May 2012. On 45 occasions over a three-month period, sensitive personal data was faxed to an incorrect and unidentified number, compromising 59 patients' personal data. After three months the recipient informed the trust that they had been receiving the faxes but had shredded them. ICO news release tinyurl.com/cabf5o2.

  • Telford & Wrekin Council, £90,000, June 2012. A social worker sent an assessment report, containing confidential and highly sensitive personal data, to the child's sibling instead of the mother. In a second incident, foster carer names and addresses were inappropriately disclosed to the children's mother. ICO news release tinyurl.com/czu8kpu.

  • St George's Healthcare NHS Trust, London, £60,000, July 2012. Two letters containing a vulnerable individual’s sensitive medical details were sent to an address where the individual had not lived for nearly five years — despite the trust having the correct current address and the address having been logged on the NHS's national care record service. ICO news release tinyurl.com/dyaxlgz.

  • Stoke-on-Trent City Council, £120,000, October 2012. Eleven unencrypted emails containing sensitive information about a child protection legal case were sent to the wrong person. ICO news release tinyurl.com/clgljtp.

  • Leeds City Council, £95,000, November 2012. Sensitive personal data relating to a child was sent to the wrong person, revealing details of a criminal offence, school attendance and the child's relationship with their mother. When sending internal mail, the council re-uses envelopes that have been used for external mail. But in this case the external address was not crossed out, so the sensitive file was posted to someone who had nothing to do with this case. ICO news release tinyurl.com/cwexp2q.

  • Plymouth City Council, £60,000, November 2012. Two reports about separate child neglect cases were sent to the same shared printer. Three pages from the first report were mistakenly collated with the pages from the second case, and were handed to the wrong family. The wrongly collated pages contained confidential and highly sensitive personal data about two parents and four children, including allegations of child neglect in ongoing care proceedings. ICO news release tinyurl.com/blzzvcw.

  • Devon County Council, £90,000, December 2012. A social worker used a previous case as a template for an adoption panel report but a copy of the old report, with personal details of 22 people including alleged criminal offences and mental and physical health, was sent out instead of the new one. ICO news release tinyurl.com/cwexp2q.
Loss of personal data
  • Welcome Financial Services Limited, £150,000, July 2012. The company's Shopacheck business lost — and never found — two back-up tape containing the names, addresses and telephone numbers of more than half a million customers. ICO news release tinyurl.com/ce7fs5u.

  • Scottish Borders Council, £250,000, September 2012. The pension records of 676 former employees were found in an over-filled paper recycling bank in a supermarket car park, and a further 172 files had been dumped in another recycling bin the same day. The Council had arranged for a man, known only as GS, to digitise its employees' paper records, without having a written contract setting out his data processing activities and the data security requirements for the documents before and after scanning. ICO news release tinyurl.com/c4vk8gk.

  • Norwood Ravenswood Ltd (a charity), £70,000, October 2012. Highly sensitive reports about the care of four young children was left at the side of the home of the children's prospective adoptive parents, who were not at home. When they returned, the reports were gone. The ICO’s investigation found that the social worker had not received data protection training, in breach of the charity’s own policy, and received no guidance on how to send personal data securely to prospective adopters. ICO news release tinyurl.com/c4xwvq6.

  • London Borough of Lewisham, £70,000, December 2012. A social worker left sensitive documents including GP and police reports and allegations of sexual abuse and neglect, in a plastic shopping bag on a train, after taking them home to work on. The files were later recovered from the rail company's lost property office. ICO news release tinyurl.com/cwexp2q.

  • Nursing and Midwifery Council, £150,000, February 2013. Three DVDs containing unencrypted confidential personal information and evidence from two vulnerable children were sent by courier to a nurse's misconduct hearing. The parcels showed no signs of tampering, but when they were opened they did not contain the DVDs, and the organisation could not find them anywhere. ICO news release tinyurl.com/bsg9wb4.
Theft of personal data
  • London Borough of Barnet, £70,000, May 2012. Paper records containing sensitive information relating to 15 vulnerable children or young people, which a social worker had taken home to work on, were in a laptop bag that was stolen during a burglary at the employee's home. A computer that was also in the stolen bag was encrypted. ICO news release tinyurl.com/bqr86yx.

  • Greater Manchester Police, £150,000, October 2012. A memory stick with no password protection, containing details of more than 1,000 people with links to serious crime investigations, was in a wallet stolen from an officer's home. Greater Manchester Police suffered a similar security breach in September 2010 but failed to comply with a direction to order all staff to use encrypted memory sticks. A further 1,100 memory sticks were recovered when the force offered an amnesty to staff with personal or unencrypted devices to hand them in. ICO news release tinyurl.com/cf3emxd.
Inadequate on-site and electronic security
  • Brighton and Sussex University Hospitals NHS Trust, £325,000 (the highest penalty to date), June 2012. Highly sensitive personal data belonging to tens of thousands of patients and staff was discovered on hard drives sold on an internet auction site. The information included records of HIV and genito-urinary medicine patients, and also included staff national insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences. The case illustrates the importance of secure storage for redundant hard drives and other media, vetting potential IT suppliers, and using only a fully accredited ISO 27001 IT waste disposal company. ICO news release tinyurl.com/ccthrzs.

  • Belfast Health and Social Care Trust, £225,000, June 2012. Sensitive personal records of thousands of patients and staff were left at a disused site after six local trusts merged into the BHSC Trust in 2007. Trespassers accessed the site in 2010, took photos of patient records and posted them on the internet. During 2010 and 2011 the trust took some steps to secure the sites and destroy the records but did not report the situation to the ICO. ICO news release tinyurl.com/d9a6wva.

  • Sony Computer Entertainment Europe Limited, £250,000, January 2013. The Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers' payment card details were also at risk. An ICO investigation found that the attack could have been prevented if the software had been up to date, while technical developments also meant passwords were not secure. ICO news release tinyurl.com/bvxlxoo.
General mess-ups
  • Torbay Care Trust, £175,000, August 2012. A spreadsheet containing sensitive personal information relating to 1,373 employees was accidentally published on the trust's website. The trust was not aware of this until it was reported by a member of the public 19 weeks later. ICO news release tinyurl.com/cpd86no.

  • Prudential, £50,000, November 2012. A mix-up over the administration of two customers' accounts led to tens of thousands of pounds, meant for an individual's retirement fund, ending up in the wrong account.The original error was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged in March 2007, but Prudential failed to investigate thoroughly despite being alerted to the error several times. This was the first monetary penalty served by the ICO that did not relate to a significant data loss. ICO news release tinyurl.com/cr4msqo.
Unsolicited marketing communications
  • Tetrus Telecoms. £440,000 total penalties to the joint owners of the company, November 2012. The company had sent millions of unlawful spam texts to the public over the previous three years. ICO news release tinyurl.com/cc35gm9.

  • DM Design Bedroom Ltd, Glasgow, £90,000, March 2013. The company was the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received. ICO news release tinyurl.com/c8bzpgl.
Despite the potential risk of a penalty, the information commissioner stresses that serious breaches — based on potential harm to the data subjects, sensitivity of the data, and the volume of personal data lost, released or corrupted — should be reported immediately.

Of course not all data protection breaches end in a monetary penalty. The ICO required Enable Scotland (Leading the Way), a Scottish charity based in Glasgow, to sign an undertaking in March 2012 committing the charity to improving its data protection compliance, after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee's home (ICO news release tinyurl.com/crumw2z).

Also in March 2012, Durham University had to make a commitment to ensure all staff receive appropriate training on how to follow the organisation's data protection guidance, after screenshots containing names, addresses and dates of birth of up to 177 former students and staff were used in a training manual about university systems (ICO news release tinyurl.com/dxa2rrx).

In Northern Ireland, Contact NI, a counselling service, set up an investigation by an independent panel after a box containing documents fell over and papers blew onto the street from a sixth-floor fire escape. The documents contained names of about 20 callers to the charity's helpline, and details of their conversations with counsellors. The investigation noted not only data protection issues, but also concerns about management of the local office, its supervision by the charity's headquarters in Belfast, and working relationships between clinical and administration staff.

Individuals who access data which they do not have a right to see, or use data for purposes for which it was not intended, can be prosecuted for breach of the Data Protection Act and can be fined. In 2012/13 a bank employee was fined £500 and ordered to pay £15 victim surcharge and £1410.80 prosecution costs, for reading her partner's ex-wife's bank statements; and a medical receptionist was fined £750 and ordered to pay £15 victim surcharge and £400 prosecution costs after unlawfully accessing patients' details. More information about these two cases is at tinyurl.com/c2c9b2v and tinyurl.com/dytbmw3.

The maximum fine for an individual who breaches data protection law is £5,000. The information commissioner has consistently called for deliberate breaches to be punished by prison sentences and/or larger fines.

DATA PROTECTION BREACHES

Updated 31/12/11. This information updates s.43.3.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Since 6 April 2010 the Information Commissioner's Office has been able to impose monetary penalties of up to £500,000 if a breach of one or more of the eight data protection principles is likely to cause substantial damage or substantial distress, and either the breach was deliberate or the data controller knew or ought to have known there was a risk of serious breach and failed to take reasonable steps to prevent it.

The highest monetary penalty to date, £130,000, was served on 6 December 2011 on Powys County Council. In two incidents, documents about child protection cases were mistakenly sent to the same wrong person. In the more serious incident, it is thought pages from one document got muddled with pages from another when they were both being printed out on the same printer, and the document was then sent out without being checked.

Other monetary penalties served on local authorities have included Surrey County Council, £120,000 after sensitive personal data was emailed to the wrong people on three separate occasions (in one case, sending sensitive personal data about 241 people to taxi companies and other transport firms, and in another case, sending personal data to 100 people who had asked to receive a council newsletter); Hertfordshire County Council, £100,000 for accidentally faxing information to the wrong people on two occasions, including information about a child sexual abuse case and a care proceeding; Worcestershire County Council, £80,000 for emailing highly sensitive personal data about a large number of people by clicking on a group list of 23 people who should not have received it; and North Somerset Council, £60,000 after an employee sent five emails, two with highly sensitive information about a child’s serious case review, to the wrong NHS employee.

A data controller can also be held liable for the actions of someone who processes data on its behalf. In February 2011 a monetary penalty of £80,000 was issued to Ealing Council following the theft from an employee's home of two unencrypted laptops containing personal information about 1700 individuals who used the council's out-of-hours service. The service was also provided under contract to Hounslow Council, and 40% of the individuals were Hounslow clients. Hounslow faced a £70,000 penalty for not having a written contract with Ealing Council, and not monitoring Ealing’s procedures for operating the service securely.

To date most monetary penalties have been served on public sector bodies. But employment services company A4E was served a £60,000 penalty following the theft of an unencrypted laptop from an employee's home. The computer contained full names, date of birth, postcodes and income level for 24,000 people who had visited community law centres in Hull and Leicester.

Stolen laptops also led to the Alzheimer's Society being warned they could face criminal prosecution if they did not put proper data protection procedures, including encryption of personal data, in place (see archived item at www.sandy-a.co.uk/vslh/43info.htm). More recently two charities have had to sign undertakings to improve their procedures. Asperger's Children and Carers Together, a Sheffield-based charity, had a laptop stolen from an employee's home, with 80 children's names, addresses, date of birth and medical information, and Wheelbase Motor Project had a hard drive stolen from its office in Nottingham, with personal data on 50 young people including information on criminal convictions and child protection issues. The Alzheimer's Society case was before the ICO had power to impose monetary penalties, and the other two charities were not served with monetary penalties.

In another case that led to an undertaking but not a monetary penalty, personal details about six people who were being supported by North Lanarkshire Council's housing and social work services department were in a support worker's unlocked bag which was stolen. The ICO emphasised that papers containing sensitive personal information should never be left in an unlocked bag without necessary precautions.

A breach of data protection law can occur not only when personal data gets into the wrong hands, but when it is destroyed. At Dartford and Gravesham NHS Trust, 10,000 records which should have been archived in a dedicated storage area were, because of lack of space, put in a disposal room and not surprisingly were disposed of, and this was not discovered for three months. The Trust confirmed that records were several years old and the loss of the data did not pose a clinical risk to the patients. The Trust has had to put better procedures in place, including systems to keep track of where information is at all times.

Individuals who access data which they do not have a right to see, or use data for purposes for which it was not intended, can be prosecuted for breach of the Data Protection Act and can be fined. For example two former employees of T-Mobile who stole and sold customer data from the company were ordered to pay a total of £73,700 in fines and confiscation costs.

Despite the potential risk of a penalty, the information commissioner stresses that serious breaches — based on potential harm to the data subjects, sensitivity of the data, and the volume of personal data lost, released or corrupted — should be reported to him immediately.

Links to ICO press releases about the above cases and others can be accessed via tinyurl.com/bux6gej.


CODE OF PRACTICE ON PERSONAL INFORMATION ONLINE

Added 5/1/12. This information updates s.43.3.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Information Commissioner's Office (ICO) code of practice on personal information online outlines good practice for organisations that do business or provide services online and that collect and store information online. It should enable visitors to websites to make an informed choice about whether they should sign up for a particular service. The code covers information processed online and the Data Protection Act 1998, marketing goods and services online, privacy choices, operating internationally, individuals' rights online, things to avoid, and preserving privacy online. It was published in 2010 and does not include the rules on cookies [see below] that came into effect in May 2011.

The code can be accessed via at tinyurl.com/3ctj7vt.


SHARING PERSONAL DATA WITH OTHER ORGANISATIONS

Added 19/12/11. This information updates s.43.3.4 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Data Protection Act generally prohibits disclosure of personal data to other organisations or bodies unless safeguards are in place. When deciding whether to share personal data with other organisations or agencies, even on a one-off basis, the basic principles include identifying the benefits and risks, taking reasonable steps to safeguard personal information, considering whether consent is needed, being transparent about what is being shared and why, ensuring information is up to date and accurate, and ensuring compliance with the Data Protection Act and other relevant legislation.

Failure to implement proper safeguards can lead to penalties — see article above about data protection breaches, with Hounslow Council having to pay a monetary penalty for failing to ensure the security of personal data processed on its behalf by Ealing Council.

The Information Commissioner's Office official code of practice on data sharing, published in May 2011, applies to both routine and one-off data sharing by public, private and voluntary sector organisations. It covers:

  • what to consider when coming to a decision about whether to share personal data;
  • fairness and transparency: when and how individuals should be told their personal data will or may be shared, and when it can be disclosed without the individual's knowledge;
  • security and staff training measures that should be put in place
  • governance issues;
  • individuals' rights to access their personal data;
  • what to avoid;
  • data sharing agreements.
The code includes case studies showing how the Data Protection Act applies to data sharing and, at the end, useful checklists and templates. Failure to comply with the code is not in itself an offence, but can be taken into account in relevant legal proceedings.

The code can be accessed via tinyurl.com/5txcfsy.

TRANSFERRING PERSONAL DATA OUTSIDE THE EEA

Added 19/12/11. This information updates s.43.3.4 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Organisations which transfer personal data outside the European Economic Area (EU + Iceland, Liechtenstein and Norway) must, since May 2010, include model clauses drawn up by the European Commission in new contracts with outsourcing companies outside the EEA which will process the data. The model contracts also cover sub-contracting to sub-processors, and require the original exporter of the data to keep track of all sub-contracting. A guide to the requirements and the model clauses is at www.out-law.com/page-11028.



| Home | About Sandy Adirondack | Legal update for voluntary organisations | Legal update: Employment, equal ops, health & safety | Legal update: Managing the organisation | Open training | In-house training | Consulting | Mentoring | Books by post |


© 2011 Sandy Adirondack.
To avoid spamming, an email address is not given on screen. If you can't see the word 'Sandy' or have trouble sending an email by clicking on it, the address is sandy at sandy-a.co.uk, with the spaces and 'at' replaced by the @ symbol.

SANDY ADIRONDACK
Governance and legal training and consultancy
for the voluntary sector

39 Gabriel House, 10 Odessa Street, London SE16 7HQ
Tel 020 7232 0726; fax 020 7237 8117
Email:
Web: www.sandy-a.co.uk