Share

ICO finds ‘unacceptable’ failings in data protection procedures at the Alzheimer’s Society

ICO finds ‘unacceptable’ failings in data protection procedures at the Alzheimer’s Society
News

ICO finds ‘unacceptable’ failings in data protection procedures at the Alzheimer’s Society

IT | Kirsty Weakley | 7 Jan 2016

The Information Commissioner has criticised the Alzheimer’s Society for allowing volunteers to use personal email addresses when handling sensitive information, and issued the charity with an enforcement notice.

After investigating the charity the ICO found that volunteers were using personal email addresses to receive and share information about people who use the charity, storing unencrypted data on their home computers and failing to keep paper records locked away. They had also not received data protection training.

Stephen Eckersley, head of enforcement at ICO, said: “In failing to ensure volunteers were properly supported, this charity showed a disappointing attitude towards looking after the very sensitive information that people trusted them with.

“Volunteers form the cornerstone of many charities’ work and we all admire and appreciate their personal commitment and goodwill. They play an important role and must be given the support to handle personal data as safely as paid members of staff. Anything less is unacceptable and, considering the vulnerability of the people who use the Society’s services, we have acted.”

The failings are connected to a group of 15 volunteers who were recruited in 2001 to help dementia sufferers and their families access NHS funding, and part of their role included drafting reports that contained sensitive information about individuals’ treatment. Over a seven-year period they collectively handled 1,920 cases.

Eckersley added: “Our investigation revealed serious deficiencies in the way the Alzheimer’s Society handles personal information. Some of these have been addressed, but the extent and persistence of the charity’s failure to do as we’ve asked means we must now take more formal action.”

The ICO first issued the charity with an undertaking in 2010 following a security breach. It then carried out an audit in 2013 and made further recommendations. A follow-up audit in March 2014 found that the charity had not implemented a recommendation.

Further investigation was carried out after a second security breach in April 2015. It found that the charity breached two data protection principles in keeping data longer than needed and failing to take “appropriate technical and organisational measures”, the enforcement notice said.

The charity's website was also hacked in 2015, putting at risk 300,000 email addresses, 66,000 home addresses, phone numbers and some birth dates. 

The Alzheimer’s Society has been ordered to take steps to address the issues within six months. This includes providing volunteers with secure email accounts.

If the charity does not comply with the enforcement notice it could face prosecution. It has a right to appeal the notice at a tribunal.

Alzheimer's Society issued a statement apologising for the lapses and confirming it had taken steps to address the issues.

Brett Terry, director of people and organisational development and senior information risk owner, said: “We are very sorry that data breaches have occurred. We have taken a number of steps to build on and improve our technology systems and processes to ensure that we meet and exceed both ICO guidance and industry standards.

“As an organisation, we exist to support the most vulnerable in society. We take this responsibility, which includes data protection, extremely seriously. We want to reassure our supporters and wider stakeholders that every measure is being taken to ensure their data is kept safe.

“We would like to stress that, after comprehensive checks, to the best of our knowledge no personal data has been compromised.” 
 

Comments

[Cancel] | Reply to:

Close »

Community Standards

The civilsociety.co.uk community and comments board is intended as a platform for informed and civilised debate.

We hope to encourage a broad range of views, however, there are standards that we expect commentators to uphold. We reserve the right to delete or amend any comments that do not adhere to these standards.

We welcome:

  • Robust but respectful debate
  • Strongly held opinions
  • Intelligent relevant discussion
  • The sharing of relevant experiences
  • New participants

We will not publish:

  • Rude, threatening, offensive, obscene or abusive language, or links to such material
  • Links to commercial organisations or spam postings. The comments board is not an advertising platform
  • The posting of contact details for yourself or others
  • Comments intended for malicious purpose or mindless abuse
  • Comments purporting to be from another person or organisation under false pretences
  • Gratuitous criticism, commentary or self-promotion
  • Any material which breaches copyright or privacy laws, or could be considered libellous
  • The use of the comments board for the pursuit or extension of personal disputes

Be aware:

  • Views expressed on the comments board are left at users’ discretion and are in no way views held or supported by Civil Society Media
  • Comments left by others may not be accurate, do not rely on them as fact
  • You may be misunderstood - sarcasm and humour can easily be taken out of context, try to be clear

Please:

  • Enjoy the opportunity to express your opinion and respect the right of others to express theirs
  • Confine your remarks to issues rather than personalities

Together we can keep our community a polite, respectful and intelligent platform for discussion.

Tags

Is your risk register a complete waste of time?

30 Jun 2016

Jonathan Orchard, partner at Sayer Vincent, talks about why charities need to re-think their risk policies....

Free counter fraud guide launched for charities

30 Jun 2016

Charity Finance Group and PKF Littlejohn have launched a new guide to help charities proactively counter...

Philanthropy can be 'disconnected, illegitimate and out of touch', warns JRF chief executive

29 Jun 2016

Julia Unwin, the outgoing chief executive of the Joseph Rowntree Foundation, urged philanthropists to...

Fundraising Regulator rejected by Scotland in favour of self-regulation

30 Jun 2016

The Scottish Council for Voluntary Organisations has rejected extending the remit of the Fundraising Regulator...

ICO received 260 complaints about charity fundraising nuisance calls in nine months

29 Jun 2016

In the nine months between August 2015 and March 2016, the Information Commissioner's Office received...

Charities will still have to adhere to EU data protection standards despite Brexit vote

28 Jun 2016

Charities in the UK will have to adhere to data protection standards that are the “equivalent” of...

Charity Commission releases 2016 annual return

29 Jun 2016

The Charity Commission has now made available its latest annual return for charities to fill in.

Slight decrease in trust of charities in Scotland, OSCR finds

29 Jun 2016

The level of trust in charities in Scotland has fallen slightly following negative media reports, according...

Charities risk their 'special status' if they ignore public concerns, warns regulator

28 Jun 2016

Charities must not ignore the public’s concerns over senior pay or overheads, the regulator's director...