Good data protection can be cheap and easy, says ICO

The Information Commissioner's Office (ICO) says charities and third sector organisations stand to benefit most from a data protection check-up.

The privacy watchdog offers free day-long advisory visits that give small and medium sized organisations the opportunity to discuss and receive practical advice in the form of a report from the ICO to help improve data protection practices.

With charities often handling sensitive information, such as individuals’ medical details, they are potentially more susceptible to encountering a serious data breach, the ICO said. "With these organisations often lacking the money to employ dedicated information governance staff, there’s a danger that many charities may be struggling to look after people’s data," said Louise Byers, head of good practice at the ICO.

In addition to advisory visits, the ICO has published a guide on the top five areas for improvement to help small and medium sized organisations avoid serious data breaches.  

The guide shows that good data protection practices can be cheap and easy to introduce, providing they have the right help and support, Byers said.

Mishandling sensitive data not only causes individuals serious distress, it can also damage the good name of a charity, said Sam Younger, chief executive of the Charity Commission.

"I encourage trustees of charities that handle sensitive data to take note of the ICO’s guidance and consider taking part in an ICO advisory visit," he said.

The ICO's top five areas for improvement guide covers the main areas for improvement highlighted by previous advisory visits carried out at small and medium sized charities and third sector organisations.

The ICO’s top five areas for improvement are:

• Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
• Make sure your staff members are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
• Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
• Encrypt all portable devices. Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
• Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.