The Information Commissioner’s Office (ICO) has published a new report highlighting how organisations attached to the Victims Services Alliance are looking after individuals’ information in compliance with the Data Protection Act.
The Victims Services Alliance (VSA) is a national network of 69 charities and voluntary groups who work with the victims of crime. They strive to improve services to victims of crime, their families and others who may have been affected by criminality.
In order to provide these services they may be handling sensitive personal information, including details of individuals’ health and welfare. These organisations also rely on volunteers and temporary workers which means they can have a high turnover of staff.
The report provides an overview of the ICO’s findings from examining the data protection practices at five VSA organisations and the results of a data protection survey responded to by 27 representatives from other VSA members.
Victoria Heath – manager of the ICO’s Good Practice Group for the Criminal Justice Sector – explained: “Members of the Victims Services Alliance face a difficult challenge when it comes to looking after personal information. They often rely on a regular stream of volunteers to provide support to the victims for whom they care while handling sensitive details relating to the abuse or mistreatment of vulnerable people. This creates a unique challenge and one we’re very pleased to say many organisations are meeting.”
Heath continued: “Nevertheless, there are still a number of areas where organisations could be doing more to keep individuals’ information secure. For example, most VSA organisations don’t appear to have a formal retention schedule explaining when personal information should be securely deleted. There was also inconsistent advice given to home workers. With 41% of VSA staff working from home these are important issues that need to be addressed. Our report will help organisations achieve this by introducing relatively minor changes to their existing practices.”
Outlining areas of Best Practice
Some of the Best Practice areas identified in the outcomes report that other VSA organisations can learn from include the following:
*The majority of staff (85%) are vetted by the Disclosure and Barring Service before being appointed
*The Criminal Justice Secure Mail e-mail system is used for sending personal information between agencies ensuring that the information remains secure
*Most staff working at VSA organisations are aware of the need to only record personal information that’s adequate and relevant for a specific purpose
The outcomes report also highlights the need for improvements in a number of priority areas including:
*Organisations should identify which party (known under the Data Protection Act as the data controller) is ultimately responsible for keeping the personal information being processed secure, and which organisation (known under the Data Protection Act as a data processor) is handling the information on behalf of another body
*Organisations need to have a formal home and remote working policy in place to ensure personal information continues to be handled correctly outside of the office environment
*Organisations should ensure that data sharing agreements are in place so that both parties know the circumstances under which personal information should be shared (and the secure process for doing so)
Importantly, the report provides links to relevant guidance from the ICO and other recognised bodies to help VSA organisations look after people’s information.