Today we have published our advisory visit guides covering the charity and community services sectors. The guides provide a summary of our findings during the advisory visits carried out with organisations across the two sectors, highlighting areas where each sector is performing well, and more crucially where they aren’t.
The guides follow last week’s publication of our guide covering credit unions, which was the subject of my earlier blog.
The charitable sector often handles particularly sensitive information relating to the health and wellbeing of their members or other service users. Many charities lack the funds to introduce the latest security systems and this why our advisory visits can be particularly useful for this sector.
We carried out visits with 32 charitable organisations last year including regional charitable volunteer services, housing and tenant support services and children’s and young people. From these advisory visits a number of clear trends emerged.
Encouragingly, a third of the charities we visited had good access controls in place, which made sure that IT systems containing personal data were only accessible to those that actually needed to use the information. We were also pleased to see that a similar proportion of the charities we spoke with clearly explained to people how their data would be used by providing a fair processing notice.
However, there is also room for improvement. For example over half of the charities we visited had no retention schedule explaining when data should be destroyed. A large proportion of charities also failed to provide adequate physical security in place to protect manual records.
Community Support Services
Community Support Services are generally small to medium sized charities aimed at providing services to individuals within their local community rather than at a national level. Like charities they will also be required to look after sensitive information, including information about the care and health of vulnerable people, and differ considerably in size and the number of staff employed.
We undertook 33 advisory visits with this sector during 2012/13 and found that almost half of the organisations surveyed had an adequate level of physical security in place that clearly met their requirements under the Data Protection Act. The majority of Community Support Services also provided fair processing information that clearly explained how people’s data would be used.
Less than half of Community Support Services provided regular data protection training for their staff. Almost all of the organisations visited in this sector failed to encrypt laptops and other portable devices used to store personal information, putting the information at risk if the device is subsequently lost or stolen.
|Victoria Heath manages our Good Practice Criminal Justice sector team, which helps organisations meet their obligations under the Data Protection Act. Her work includes managing a programme of audits and advisory visits.|