Share

ICO finds ‘unacceptable’ failings in data protection procedures at the Alzheimer’s Society

ICO finds ‘unacceptable’ failings in data protection procedures at the Alzheimer’s Society
News

ICO finds ‘unacceptable’ failings in data protection procedures at the Alzheimer’s Society

IT | Kirsty Weakley | 7 Jan 2016

The Information Commissioner has criticised the Alzheimer’s Society for allowing volunteers to use personal email addresses when handling sensitive information, and issued the charity with an enforcement notice.

After investigating the charity the ICO found that volunteers were using personal email addresses to receive and share information about people who use the charity, storing unencrypted data on their home computers and failing to keep paper records locked away. They had also not received data protection training.

Stephen Eckersley, head of enforcement at ICO, said: “In failing to ensure volunteers were properly supported, this charity showed a disappointing attitude towards looking after the very sensitive information that people trusted them with.

“Volunteers form the cornerstone of many charities’ work and we all admire and appreciate their personal commitment and goodwill. They play an important role and must be given the support to handle personal data as safely as paid members of staff. Anything less is unacceptable and, considering the vulnerability of the people who use the Society’s services, we have acted.”

The failings are connected to a group of 15 volunteers who were recruited in 2001 to help dementia sufferers and their families access NHS funding, and part of their role included drafting reports that contained sensitive information about individuals’ treatment. Over a seven-year period they collectively handled 1,920 cases.

Eckersley added: “Our investigation revealed serious deficiencies in the way the Alzheimer’s Society handles personal information. Some of these have been addressed, but the extent and persistence of the charity’s failure to do as we’ve asked means we must now take more formal action.”

The ICO first issued the charity with an undertaking in 2010 following a security breach. It then carried out an audit in 2013 and made further recommendations. A follow-up audit in March 2014 found that the charity had not implemented a recommendation.

Further investigation was carried out after a second security breach in April 2015. It found that the charity breached two data protection principles in keeping data longer than needed and failing to take “appropriate technical and organisational measures”, the enforcement notice said.

The charity's website was also hacked in 2015, putting at risk 300,000 email addresses, 66,000 home addresses, phone numbers and some birth dates. 

The Alzheimer’s Society has been ordered to take steps to address the issues within six months. This includes providing volunteers with secure email accounts.

If the charity does not comply with the enforcement notice it could face prosecution. It has a right to appeal the notice at a tribunal.

Alzheimer's Society issued a statement apologising for the lapses and confirming it had taken steps to address the issues.

Brett Terry, director of people and organisational development and senior information risk owner, said: “We are very sorry that data breaches have occurred. We have taken a number of steps to build on and improve our technology systems and processes to ensure that we meet and exceed both ICO guidance and industry standards.

“As an organisation, we exist to support the most vulnerable in society. We take this responsibility, which includes data protection, extremely seriously. We want to reassure our supporters and wider stakeholders that every measure is being taken to ensure their data is kept safe.

“We would like to stress that, after comprehensive checks, to the best of our knowledge no personal data has been compromised.” 
 

Comments

[Cancel] | Reply to:

Close »

Community Standards

The civilsociety.co.uk community and comments board is intended as a platform for informed and civilised debate.

We hope to encourage a broad range of views, however, there are standards that we expect commentators to uphold. We reserve the right to delete or amend any comments that do not adhere to these standards.

We welcome:

  • Robust but respectful debate
  • Strongly held opinions
  • Intelligent relevant discussion
  • The sharing of relevant experiences
  • New participants

We will not publish:

  • Rude, threatening, offensive, obscene or abusive language, or links to such material
  • Links to commercial organisations or spam postings. The comments board is not an advertising platform
  • The posting of contact details for yourself or others
  • Comments intended for malicious purpose or mindless abuse
  • Comments purporting to be from another person or organisation under false pretences
  • Gratuitous criticism, commentary or self-promotion
  • Any material which breaches copyright or privacy laws, or could be considered libellous
  • The use of the comments board for the pursuit or extension of personal disputes

Be aware:

  • Views expressed on the comments board are left at users’ discretion and are in no way views held or supported by Civil Society Media
  • Comments left by others may not be accurate, do not rely on them as fact
  • You may be misunderstood - sarcasm and humour can easily be taken out of context, try to be clear

Please:

  • Enjoy the opportunity to express your opinion and respect the right of others to express theirs
  • Confine your remarks to issues rather than personalities

Together we can keep our community a polite, respectful and intelligent platform for discussion.

Tags

HMRC assures charities of ‘soft landing’ approach in Common Reporting Standard guidance

26 Aug 2016

HMRC has published new Common Reporting Standard guidance, which assures charities that it will implement...

Access Foundation to invest endowment in social investment

24 Aug 2016

Access: the Foundation for Social Investment has announced it will put its endowment from the Cabinet...

Charity investigated after it did not know its own income

23 Aug 2016

The Charity Commission has opened an inquiry into a charity that underestimated its own annual income...

Save the Children launches £1m fundraising appeal for search and rescue boat

26 Aug 2016

Save the Children UK has launched a £1m fundraising appeal to outfit and support a search and rescue...

Royal British Legion criticised by FRSB after fundraisers misled public

25 Aug 2016

The Royal British Legion and a face-to-face fundraising agency breached the Code of Fundraising Practice,...

Pell & Bales goes into liquidation with the loss of more than 100 jobs

24 Aug 2016

Telephone fundraising agency Pell & Bales has been placed into liquidation by its creditors, less...

Commission appoints interim manager to dissolve charity being investigated over investment tactics

26 Aug 2016

The Charity Commission has appointed an interim manager to oversee the winding up of the Park Charitable...

Association of Charitable Foundations' chief executive will step down this year

25 Aug 2016

David Emerson is stepping down as chief executive of the Association of Charitable Foundations later this...

Charity Commission should ‘avoid the temptation to look tough’ when it starts disqualifying trustees

24 Aug 2016

Other infrastructure bodies have joined NCVO in raising concerns about how the Charity Commission might...