IG policies are essential, but not much use if you don’t comply with them
In NHS and Social Care settings a standard requirement is that all staff are trained in information governance (a large component of which is data protection): “Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained” (IG Toolkit v11) and “Ensure all staff are trained, updated and aware of their responsibilities” (Local Government Data Handling Guidelines). If an organisation suffers a serious breach of data security, and the Information Commissioner’s Office (ICO) investigates, one of the first things they will look at is whether staff were appropriately trained. If they weren’t, enforcement action, possibly in the form of a monetary penalty notice, is highly likely.
It is vital, therefore, that all organisations have a policy that all relevant staff are trained (and in some organisations – like the NHS and local authorities – that will normally mean all staff).
But, policies only work if they are implemented, enforced and monitored. The ICO has recently published an Undertaking (the “last chance saloon” before formal enforcement action) signed by the Northern Health and Social Care Trust. This arose following an incident which
involved confidential service user information being faxed from a ward in Antrim Hospital to a local business in error. The information was intended for the Trust’s Community Rehabilitation Team. The referral form contained sensitive clinical data
Although the Trust had a “fax policy” (good) it wasn’t complied with (bad) but also
The Commissioner’s investigation into the Trust revealed that despite the Trust having introduced what should have been mandatory Information Governance training for all staff, the majority of staff involved in these incidents had not received this training. This highlighted a potentially serious failing in respect of staff awareness of Information Governance policies. In particular, the failure to monitor and enforce staff completion of training was a concern.
This failure constituted a breach of the seventh data protection principle (“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”). It is highly likely that, if training requirements had been complied with, no action would have been (or would have been able to be) taken, because there would have been no breach.
Put simply, if a data controller can show it has complied with the seventh data protection principle, and there is an accidental data security breach – however horrendous – then (providing there are no breaches of other principles) no sanctions will arise.
It’s in every data controller’s interests not only to require appropriate data protection training for staff, but also to ensure that it has been taken.