You might have seen the headline. The Chief Constable of Dyfed Powys Police had been taken to task by the ICO, and had been required to sign an undertaking to improve the force’s data security. Most would not have read further, despite the illicit enjoyment of a CC being disciplined. However, there’s much in the decision that can be of help to email marketing data protection.
In cases such as this, those who sit in judgement will justify their decisions and give reasons for any punishment, be it a fine or, as in this case, an undertaking. Anyone with email marketing lists should go past the headlines and study the details.
There were a number of issues which the ICO raised for special attention, the first being mentioned a number of times in the decision. It would appear that there was a series of breaches of security over an extended period. This would have suggested to the ICO that there was an organisational failure.
The report states: there were ‘several data protection incidents by the data controller [the Chief Constable] over an 18 month period. The number of incidents reported is of concern especially as they are repeated in nature.’
Also repeated is that over 50% of staff, presumably with access to personal data, had not received any data protection training. This is a quite shocking statistic given the type of information that is collected by the police service. Even more damning is that there was no established system of refresher training.
The offences were committed by staff who had received no data protection training. Overall, it was quite a collection of errors. They were varied in nature so suggesting that lack of proper process was endemic.
The Chief Constable was required to sign five undertakings to improve performance. The five were, in brief:
1/ The requirement for a force-wide programme of data protection training. There was a caveat that this should be adequate,
2/ A requirement for a programme of refresher training,
3/ Training in data protection to be recorded and prompt remedial action to redress non-compliance,
4/ Essentially this amounts to implementing basic measure to ensure security of personal data,
5/ This was to do with the procedure for the undertaking.
What might be surprising is the basic nature of the undertakings. Any company with control of personal data should have been following such procedures as a matter of course. In addition, this is a police force, one that might sit in judgement over email marketing companies given our email marketing lists.
Such cases as this should make you wonder if the security systems in place in your company are adequate. The majority of the offences involved actions of a member of staff quite low in the hierarchy. It emphasises that everyone who has access to personal data must be aware of the requirements.
We can all enjoy the embarrassment of the great and the good, but is there genuine support for your feeling of smugness? Do you know that everyone in your company with access to personal data knows what they should be doing?
You should be ensuring they do.