The ICO’s investigation into a data breach at Whitehead Nursing Home revealed “widespread systematic failings” in the home’s data protection practices, putting both its employees and residents at risk. The ICO warned that bigger organisations found to have committed similar breaches should be prepared for much larger fines.
The investigation was initiated when an unencrypted work laptop was stolen from a worker’s home. The laptop contained a whole host of sensitive personal data from staff sickness and disciplinary records to resident health records and ‘do not resuscitate’ status. The ICO criticised the nursing home’s lack of policies regarding encryption, homeworking and the storage of mobile devices as well as the lack of data protection training given to staff.
The current case act as a timely reminder for organisations of the importance of complying with their obligations under the Data Protection Act 1998 (DPA). The ICO has the power to serve a monetary penalty notice (up to a maximum of £500,000) on a data controller where it’s satisfied that there has been a serious contravention of the data protection principles. It should also be remembered that the potential fines will significantly increase beyond this current limit when the new General Data Protection Regulation comes into effect in May 2018.
In order to evaluate compliance with the DPA organisations should, as a starting point, ensure that they can identify the type of personal data they are dealing with and the purpose for which such data is being collected. Whilst having a written data protection policies isn’t compulsory under the DPA it can be a very helpful way of making staff aware of their own and their employer's obligations under the DPA. Organisations will need to ensure that the policy is properly communicated to all staff, that adequate training is given, and that compliance with the policy is continuously monitored.