Information security starts with educating staff

It isn’t just the people at the top who govern the security of data within a firm. The first step to ensuring that your business meets its requirements is providing training for staff on all levels to keep their knowledge up to date.

Companies are obliged to comply with the Data Protection Act and any failure to do so, whether intentional or not and irrespective of who has committed the offence, will result in hefty penalties from the Information Commissioner’s Office (ICO).

To this end, the ICO recently issued a warning to all companies who are handling confidential information to make sure that all their staff understand how to properly handle information.

It issued this warning following four data breaches at Great Ormond Street Hospital for Children NHS Foundation Trust between January 2012 and June 2013. These were caused by letters being sent to the wrong addresses, which included information about some patients’ treatment at the hospital.

An investigation from the ICO revealed that three of the four incidents involved temporary staff handling this data in spite of having had no prior training in how to do so. Additionally, the hospital had no processes in place to make sure the letters were going to the correct addresses.

Enforcement group manager at the ICO Sally Anne Poole said: “If organisations are employing temporary or agency workers into positions that involve the handling and sending out of personal information then they must make sure these staff have received adequate data protection training. Great Ormond Street Hospital for Children NHS Foundation Trust failed to do this and have now been required to sign an undertaking with our office to improve their practices.”

Yet this is not the only time in recent months when an organisation has failed to meet expectations in terms of data protection recently due to leaving a relatively inexperienced member of staff in charge.

Last month, the Ministry of Justice was fined £140,000 when details of the prisoners serving at HMP Cardiff were sent out to three families. Following investigation, the ICO blamed a lack of management as it found a clerk working unsupervised despite having had limited training and having only worked at the prison for two months.