Here’s yet another case where an investigation of a breach resulted in the ICO discovering that an entity was not providing data protection training and re-training often enough. 

On October 10, 2014, the Information Commissioner (ICO)  was informed that Doncaster Metropolitan Borough Council had lost a file containing 66 records of families requiring Health services. There is no evidence to suggest the file is in the public domain and it appears the loss arose as a result of an internal office move.

The Commissioner was satisfied that due to the physical security measures normally in place, no formal action was required on that issue, but in the process of investigating the matter, the ICO determined that there were low levels of staff completion of themandatory data protection training. Furthermore, staff were only required to undertake data protection training every three years.

Note that there is nothing in the enforceable regulations that makes this a violation, but it is inconsistent with the ICO’s guidance and previous advice on good data protection practice.

And so, voila, another undertaking.

I wonder what would happen if an entity refused to sign an undertaking because, well, they didn’t break any law. Then what?