personal data within the context of ‘customer property’(clause 7.5.4). That clause requires ‘organisations to
exercise care with customer property whilst it is under the organisation’s control or being used by the organisation’. The change was welcomed by many after some very well publicised ‘lap top left on train’ incidents.
Now the Information Commissioners Office (ICO) is urging businesse to review their policies for
handling personal data following the issue of a £150000 fine to the Nursing and Midwifery Council for a breach of the Data Protection Act. It is understood that the fine relates to the loss of 3 DVD’s containing
data relating to a misconduct hearing including confidential personal information. The data contained on
the DVD’s had also been stored in unencrypted format meaning it was accessible to all.
David Smith, Deputy Commissioner and Director of Data Protection, said: “It would be nice to
think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.”
As auditors we need to assure ourselves that organisations have robust procedures in place to ensure
that this type of data is identified, is handled in line with statutory and standard requirements and that staff involved fully understand those requirements and are able to deliver against them. Put that on your next audit plan!