Records found in second-hand filing cabinet

18 Jan 2010 - Staff to be made aware of council’s policies relating to personal information

The Information Commissioner’s Office (ICO) has found Lancashire County Council in breach of the Data Protection Act after social work records containing sensitive personal data relating to several individuals were found in a filing cabinet purchased second-hand by a member of the public.

The records were duplicates of documents held in the council’s offices and had apparently been used by a social worker during active casework duties. The files contained an extensive amount of personal data including information about the ethnicity, religious beliefs and physical or mental health conditions of individuals. In one instance, the data provided an almost complete picture of the individual’s life.

Signed Undertaking

Chief Executive of Lancashire County Council, Ged Fitzgerald, has now signed an Undertaking promising to implement a formal written procedure for the removal or disposal of any office furniture or equipment. The Undertaking also requires staff to be made aware of the council’s policies for the storage, use and disposal of personal information and for the appropriate training to be provided.

Sally-anne Poole, Head of Enforcement at the ICO, said: “This incident highlights the importance of having the necessary safeguards in place to ensure personal information is disposed of securely. Organisations need to have the appropriate policies in place and staff need to be aware of these policies to ensure personal information is stored securely. I am pleased that Lancashire County Council is taking action to prevent a similar situation occurring in the future.”  

NETconsent View

The Data Protection Act does not require organisations to have state-of-the-art security technology to protect the personal data it holds. However the ICO recommends that organisations regularly review security arrangements as technology advances. It is up to every organisation to weigh the information risk and take 'reasonable' measures to protect themselves from data loss.

The Human Factor

As well as physical and computer security, organisations are increasingly realising that they need to pay more attention to the human factors associated with information assurance. It is vital that staff understand the importance of protecting personal data; that they are familiar with the organisation’s security policy; and that they put its security procedures into practice. The NETconsent policy management system has been designed to help organisations address these human issues.

Measure Monitor & Manage

NETconsent works on the principle of "Measure, Monitor & Manage".  Historically managers have not been given the tools to help them ensure policies are effectively distributed and read by staff.   NETconsent reverses this problem.

Organisations are able to respond quickly to changes in legislation and business conditions by presenting employees with new and updated policies. A full audit trail of who has seen and agreed to policies makes reporting policy awareness very accurate and exceptionally easy. Furthermore organisations can choose to test their employees' understanding of policies at any time with minimal adminstrative effort. Training resources can then be targetted at personnel and issues identified as being highest risk. These are some of the reasons why NETconsent Compliance Suite is the market leading tool for effective policy management automation with over 175,000 users in the UK.