The Information Commissioner has criticised the Alzheimer’s Society for allowing volunteers to use personal email addresses when handling sensitive information, and issued the charity with an enforcement notice.
After investigating the charity the ICO found that volunteers were using personal email addresses to receive and share information about people who use the charity, storing unencrypted data on their home computers and failing to keep paper records locked away. They had also not received data protection training.
Stephen Eckersley, head of enforcement at ICO, said: “In failing to ensure volunteers were properly supported, this charity showed a disappointing attitude towards looking after the very sensitive information that people trusted them with.
“Volunteers form the cornerstone of many charities’ work and we all admire and appreciate their personal commitment and goodwill. They play an important role and must be given the support to handle personal data as safely as paid members of staff. Anything less is unacceptable and, considering the vulnerability of the people who use the Society’s services, we have acted.”
The failings are connected to a group of 15 volunteers who were recruited in 2001 to help dementia sufferers and their families access NHS funding, and part of their role included drafting reports that contained sensitive information about individuals’ treatment. Over a seven-year period they collectively handled 1,920 cases.
Eckersley added: “Our investigation revealed serious deficiencies in the way the Alzheimer’s Society handles personal information. Some of these have been addressed, but the extent and persistence of the charity’s failure to do as we’ve asked means we must now take more formal action.”
The ICO first issued the charity with an undertaking in 2010 following a security breach. It then carried out an audit in 2013 and made further recommendations. A follow-up audit in March 2014 found that the charity had not implemented a recommendation.
Further investigation was carried out after a second security breach in April 2015. It found that the charity breached two data protection principles in keeping data longer than needed and failing to take “appropriate technical and organisational measures”, the enforcement notice said.
The charity's website was also hacked in 2015, putting at risk 300,000 email addresses, 66,000 home addresses, phone numbers and some birth dates.
The Alzheimer’s Society has been ordered to take steps to address the issues within six months. This includes providing volunteers with secure email accounts.
If the charity does not comply with the enforcement notice it could face prosecution. It has a right to appeal the notice at a tribunal.
Alzheimer's Society issued a statement apologising for the lapses and confirming it had taken steps to address the issues.
Brett Terry, director of people and organisational development and senior information risk owner, said: “We are very sorry that data breaches have occurred. We have taken a number of steps to build on and improve our technology systems and processes to ensure that we meet and exceed both ICO guidance and industry standards.
“As an organisation, we exist to support the most vulnerable in society. We take this responsibility, which includes data protection, extremely seriously. We want to reassure our supporters and wider stakeholders that every measure is being taken to ensure their data is kept safe.
“We would like to stress that, after comprehensive checks, to the best of our knowledge no personal data has been compromised.”