The Information Commissioner’s Office (ICO) has criticised the Alzheimer’s Society after it emerged that volunteers working for the organisation were not trained in data protection practices and were not familiar with the charity’s policies and procedures. Concerns centred on volunteers whose role was to help families of sufferers secure NHS funding for healthcare.
The working practices in question included using personal email addresses to send and receive sensitive patient information, storing unencrypted data on personal computers and failing to ensure the security of paper records. A lack of supervision for volunteers was cited as a failure and concerns were also expressed over the security of the charity’s website after a hack in 2015 led to the risk of personal data loss.
Of particular concern was a lack of manual checks on its website, a practice that the ICO identified as crucial in ensuring the effective protection of personal data.
The ICO has issued an enforcement notice amidst concerns that not enough was being done at the charity to rectify the issues. If it does not comply with the orders, the Alzheimer’s Society could face legal action. It described the charity’s attitude towards the security of personal data as ‘disappointing’.
The case makes clear the need to treat volunteers in the same manner as employed staff, ensuring that effective and comprehensive training is delivered and compliance with training schedules is monitored. The action of the ICO is a clear warning to the sector of the need to enforce high standards throughout all parts of the workforce, whether dealing with paid employees or volunteer workers.