Two recent ICO enforcement activities indicate the importance of internal and external controls over how data may be used and transferred.
The ICO has fined Newham Council £145,000 after a council employee shared an un-redacted version of the 'Gangs Matrix' with 44 other people and agencies in January 2017. Over time, rival gang members had obtained photographs of this information via Snapchat. The ICO concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organisations, when a redacted version was readily available. The ICO found that council did not have any specific sharing agreements, policy or guidance in place to determine how its own staff and partner organisations should handle and use the Gangs Matrix databases securely. The ICO was also critical of a slow subsequent investigation by the council into the issue.
Meanwhile, a former GP practice manager has been fined for sending work-related data to her personal email account without authorisation, including 13 other individuals' job applications. The incident came to light after a colleague was given access to her account, leading to the practice reporting the issue to the ICO.
These cases illustrate the importance of having in place technical and organisational measures to try to prevent unauthorised or unnecessary access to information, and the timely and effective response to incidents when they occur. For advice on responding to Personal Data Breaches or other information governance matters, please speak to Andrew Latham or the Capsticks Information Law team.
"[The Newham case] is a reminder for organisations handling and sharing sensitive information to make sure they have suitable processes, training and governance in place to ensure they meet their accountability obligations." James Dipple-Johnstone, ICO Deputy Commissioner