“It’s beginning to look a lot like Christmas, Ev’rywhere you go,
Take a look at floors one to ten, lots of empty seats there again
Let’s hope there isn’t cause to call the ICO.”
With many offices shutting down for the festive season and plenty of extended leave, it can mean organisations are running on a skeleton staff.
Unfortunately data protection doesn’t recognise holidays. When staff are rushing to get away it can be tempting to cut corners in an attempt to clear the decks in time for New Year. The Information Commissioner’s Office (ICO) has seen lots of cases where responses sent out around the holidays and even on Christmas Eve mistakenly contained personal information either due to time constraints or because there was no one available to check the information.
In the whirl of parties, presents and mince pies, when work is pretty near the bottom of most people’s Christmas lists, it’s important to factor in plenty of time when calculating response times to requests and get the required check and sign off.
And it’s not just freedom of information (FOI) and subject access requests (SAR) that can suffer with less staff in the building. As the usual monitoring of information security systems can be disrupted, it’s a time when undetected cyber security incidents could devastate organisations.
ICO have put together their seven top tips to remind businesses and organisations that by taking a little extra care this Christmas, they can have a much happier New Year:
- Make sure all staff are aware of any changes in the sign off process. If someone different is signing off requests, let them know. It’s important there are staff available to know how to redact information and use any necessary software.
- When taking extended leave out of office emails should include an alternative, monitored email address so that incoming FOI and SAR requests can be logged immediately by a staff member.
- If there are going to be delays in sending out responses, remember it’s important to keep all requestors updated.
- It’s a good time to remind all staff who work from home about data protection homeworking policies and procedures.
- Consider how systems can be checked for potential data breaches during longer periods of shut down. Put a contingency plan in place for monitoring information security with less staff. Make sure the systems are backed up regularly to protect from disasters and against malware such as ransomware.
- Prepare for the worst: create a plan for managing data breaches factoring in any office closures. Think about how you would update customers if the organisation suffered a data breach and the usual channels were not available.
- If you use an IT contractor, talk to them about the requirements of your business over the Christmas period.
Source: ICO website
Author: Laura Middleton, ICO Enforcement Team Manager
Laura is a Team Manager in the Civil Investigations team within the Enforcement Department. The team investigate breaches of the Data Protection Act, exercising the Commissioner’s powers of enforcement contained in part V of the Act, including civil monetary penalties.