Many organisations handle personal information about individuals in some form, and that brings with it legal obligations to protect that information under the Data Protection Act 1998.
A key part of our role as the UK’s independent regulator of the Act is to work with organisations to give advice and education on best practice.
One of the ways we do this is through free advisory visits, usually targeted at sectors that handle sensitive personal data. This involves a one-day visit to an organisation where we look at how they’re doing things and offer practical advice on how to improve.
The visits tend to focus on how personal data is being kept secure, how records are being managed and how requests from individuals for their personal data (subject access requests) are handled.
As well as giving the organisations a summary of what we’ve found, we also look to bring that information together with the findings from other advisory visits to give a guide that summarises what we’ve found a sector does well, and more crucially what it doesn’t do well.
We’ve got three of these guides due out this week. Below you can read what we’ve found from our visits to credit unions. This will be followed by our findings from advisory visits to community service organisations, and charities.
If you work in one of those sectors, the guides should be crucial reading, and even if you work elsewhere, they’ll provide plenty of food for thought.
Credit unions provide financial services to members, including loans and savings. To this end, they typically look after large volumes of financial information, from credit assessments to payment histories.
The ICO undertook seven advisory visits in 2012/13, and while they varied considerably in their size and the resources available to them, there were clear common themes.
Several areas of good practice were identified, notably the physical security given to data and the information given to customers when they signed up.
Areas for improvement included making staff more aware of their responsibilities when handling information, and ensuring they have unique user accounts. The need for better retention schedules setting out how long customer data is kept for was also recommended.
|Victoria Heath manages our Good Practice Criminal Justice sector team, which helps organisations meet their obligations under the Data Protection Act. Her work includes managing a programme of audits and advisory visits.|