UK: Cambridgeshire Community Services NHS Trust undertaking: was it really necessary?
Cambridgeshire Community Services NHS Trust has had several breaches involving loss or theft of personal information. But it wasn’t the breaches per se that caught the attention of the Information Commissioner’s Office as much as the finding that the Trust was only requiring their employees to refresh Information Governance (IG) training every two years.
As the resulting undertaking explains:
This is in contradiction to requirement 12- 112 of the IG Toolkit which mandates all organisations delivering care or supporting the delivery of care to citizens to provide annual IG training for employees. This decision was made in November 2013 after requirement 12-112 had come into effect.
They really needed an undertaking for this? The Trust didn’t just say, “Oops, we goofed, we’ll remedy that immediately.” They had to be asked to sign something stating their plan and intentions?
Since an undertaking isn’t a legally enforceable document (as I understand it from some of my fellow UK advocates), wouldn’t it just make more sense for the ICO to send a letter to the Trust saying “We found you out of compliance, and if you’re not in compliance within one year or this happens again, you may face a monetary penalty.”
Or is that too simple?