As reported on the ICO website, a former family intervention officer at St Helens Borough Council has been sentenced for unlawfully accessing social services records, which resulted in a fine and a criminal record.
The person was prosecuted for viewing records on the council’s case management system without having a business need to do so.
Andy Curry, the ICO’s Head of Investigations, said ‘People have the absolute right to expect that their sensitive personal information will be treated with the utmost privacy and in accordance with data protection laws. For some reason, this individual chose to flout those laws and spend time snooping at people’s sensitive personal information.’ and you can read the full article at https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/09/former-social-services-council-employee-fined-for-unlawfully-accessing-sensitive-personal-data/.
But there are lessons here for us all, so perhaps it is timely to make sure that:
- Policies – you have robust and clear policies in place and that all staff are aware of them
- Procedures – your procedures and checklists are clear and up to date, and encourage consistent behaviours that demonstrate your compliance with the UK GDPR
- Systems – your IT systems operate on the ‘least privilege’ principle, to prevent accident or intentional access to personal data without a business need
- Training – all these things are underpinned by induction and ongoing staff training, and awareness raising measures
- Review – everything is subject to regular review, either with a full Data Protection Review or light touch quick review.
If you are not sure that you have everything in place, or want to find out how easy a data protection review can be, then get in touch using the links below.