Our website is set to allow the use of cookies. For more information and to change settings click here. If you are happy with cookies please click "Continue" or simply continue browsing. Continue.

Employment Law

Legal guidance - compliance - software

Veale Wasborough Vizards , 12 SEP 2016

A cautionary tale for keeping personal data secure

A cautionary tale for keeping personal data secure
Mark Stevens
Associate, Veale Wasbrough Vizards

The Information Commissioner's Office (ICO) has recently fined a nursing home in Northern Ireland £15,000 for failing to keep personal details of its staff and residents secure.

The facts

A recent breach of the Data Protection Act by a nursing home in County Antrim serves as a useful reminder of how important it is for organisations to ensure that the personal data they hold is secure.

The breach occurred when an unencrypted work laptop was stolen from the home of a staff member. The laptop contained sensitive personal information relating to 29 residents and 46 staff.

The ICO subsequently launched an investigation and found that the nursing home had put its employees and residents at risk by failing to implement policies relating to encryption, homeworking and the storage of mobile devices. The nursing home had also not provided enough data security training to its employees.

The nursing home was able to demonstrate various mitigating factors, such as the laptop being protected by a password and the fact that they reported the matter to the ICO themselves and remained fully cooperative throughout the investigation. The nursing home has also since implemented appropriate policies and training.

Notwithstanding the above, the nursing home received a fine of £15,000, which the ICO decided was appropriate given the organisation's size. However, it should be noted that a similar breach at a larger organisation could lead to that organisation receiving a much bigger penalty.

Best practice

This case shows that the ICO will consider taking action against any organisation which has not put measures in place to ensure compliance with the Data Protection Act and that keeping personal data secure is not an issue that should be taken lightly.

The Data Protection Act states that 'appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data'. This means that all organisations which hold personal data of any kind should ensure that they have appropriate measures in place to prevent data from being accidentally or deliberately compromised. Such measures include:

  • Encryption: organisations should encrypt personal data where appropriate, for example if it is stored on mobile devices such as laptops. Encryption is especially effective to protect data against unauthorised access if the device storing the encrypted data is lost or stolen.
  • Policies: organisations must ensure that they have robust policies in place in order to keep sensitive data and personal data secure, particularly in relation to working from home. Policies in relation to encryption, homeworking and the storage of mobile devices should be implemented.
  • Training: all employees should be provided with training in relation to data protection.
Please let us know if you would like any assistance with updating or introducing appropriate policies, and with training your staff.

Data Protection

The New Rules

Is a complete guide to the current and new data protection rules, and is based on the final...

More Info from £65.00
Available in Company Law Online
Business Law - A Guide for Entrepreneurs

Business Law - A Guide for Entrepreneurs

Explanation of the legal and regulatory issues affecting small and medium enterprises

Subscribe to our newsletters