From the ICO:
The ICO has found serious failings in the way volunteers at a national dementia support charity handled sensitive personal data.
It has orderedThe Alzheimer’s Society to take action after discovering that volunteers were using personal email addresses to receive and share information about people who use the charity, storing unencrypted data on their home computers and failing to keep paper records locked away.
Furthermore, volunteers were not trained in data protection, the charity’s policies and procedures were not explained to them and they had little supervision from staff.
The enforcement notice notes that The Commissioner issued the data controller with an Undertaking in February 2010 to ensure that remedial action was taken following a security breach that was investigated by the ICO. That incident had been reported on this blog here. The ICO also carried out an audit of the data controller in March 2013 which provided ‘reasonable assurance’. That audit had been covered here. But then, it appears, that there were more concerns:
The ICO then carried out a ‘follow-up’ audit in March 2014 which revealed that a recommendation in the ICO’s March 2013 audit report had not been fully implemented by the data controller.
The ICO has now carried out a further investigation into the data controller’s compliance with the provisions of the DPA following a second security breach that was discovered on 15 April 2015.
A second breach? No, I didn’t know about that one, but perhaps if the ICO had taken stronger action sooner, the April 2015 breach might not have occurred?
Update: The ICO subsequently issued a press statement about the enforcement order that included a statement about the April 2015 breach:
As well as issues around the security of personal data, the charity’s website was hacked earlier in 2015, putting at risk around 300,000 email addresses, 66,000 home addresses, phone numbers and some birth dates.