I guess the Information Commissioner’s Office (ICO) doesn’t publicly post all undertakings, as we are first finding out about an August undertaking in November, when a follow-up was conducted and disclosed.
In June 2012, the ICO learned that a folder belonging to a Criminal Justice Support worker employed by Foyle Women’s Aid, was left in a café. The folder contained confidential client information. An investigation suggested the lack of effective controls and procedures for removing sensitive information from the office. Thankfully, the folder was returned immediately by the café owner, but Foyle Women’s Aid signed an undertaking in August to address the policies and training concerning removal of information from the office.
A desk review follow-up this week noted Foyle’s progress in compliance but noted that further action was still needed:
- Data Protection training is in the process of being provided to all staff. This should be completed by the end of November 2013 as planned.
- Encryption software should be installed on all laptops, I-pads and any other mobile devices used by staff.
- Procedural guidance should be introduced for staff to follow in relation to the secure use of mobile devices, as planned.
- The access restriction software training which is currently scheduled for 2014 should be completed by all relevant staff prior to its implementation.
- The contract with the external shredding company should contain appropriate security clauses and checks on the company’s security procedures should be conducted annually.