At our last UPDATE session in May 2016, I raised five recent Undertakings and several audit summaries which focused around the lack of staff training or training quality. I predicted that it would not be long before a controller would be on the receiving end of Enforcement for failing to train its staff.
Well this has happened. An Enforcement Notice has been served on West Dunbartonshire Council (see references) for failing to implement detailed staff training. The Notice requires West Dunbartonshire Council within the next six months to take steps to ensure that:
- there is a mandatory data protection training programme for all staff (including new starters) and refresher training on an annual basis;
- completion of such training is properly documented and monitored to ensure training is completed within an appropriate timeframe;
As failure to comply with a Notice is a criminal offence (due diligence defence), the Council is being threatened with prosecution should it fail to implement the above training diktats.
The “lack of training” Undertakings (which are dated after 1 October 2015; see below) are also well worth looking at to see what is required of the relevant data controller. One assumes that if these data controllers fail pitifully to meet their training promises, they too risk facing Enforcement action. Such “we promise to implement staff training” Undertakings have been signed by:
- Sirona Care & Health
- Falkirk Council
- Chief Constable Wiltshire Constabulary
- Leeds Community Healthcare NHS Trust
- South Eastern Health & Social Care Trust.
In addition, the ICO’s follow up (dated April 2016) on the Undertaking signed by Doncaster Metropolitan Borough Council’s several months earlier contains several paragraphs on training (e.g. Doncaster has to “Deliver mandatory data protection training to the relevant individuals, and at the intervals agreed, as set out in the training needs analysis above”). Clearly, if Doncaster MBC fails to deliver, another West Dunbartonshire could follow.
From the audits over the last six months one can also see that training has become a Key Performance Indicator assessed by the Commissioner. For example, having two thirds of staff trained is criticised as not being good enough. Audits that mention deficient training (and a summary of the criticism) include:
- SUSSEX POLICE: Refresher training is not being completed regularly; statistics in relation to training are recorded inaccurately.
- LINCOLNSHIRE COUNTY COUNCIL: No steering group that oversees IG training and awareness.
- SOUTHAMPTON CITY COUNCIL: Only 67% of staff completed the mandatory Information Governance (IG) training.
- AVON AND WILTSHIRE MENTAL HEALTH PARTNERSHIP NHS TRUST: “a gap” in the training of Information Asset Owners (which I assume to be a euphemism for training that does not contain sufficient detail).
- KENT COUNTY COUNCIL: IG e-learning completion statistics provided for the purposes of the audit showed that only 65% of staff had completed this mandatory training.
- ST ANDREWS HEALTHCARE: Staff processing SARs across the charity have mostly received only on-the-job training in the processing of requests, rather than specialised training (with the implication that SAR might go wrong, for example, with respect to personal data that contains details of another identifiable individual).
- CITY OF EDINBURGH COUNCIL: Only 18% of workforce had successfully completed the mandatory Information Governance Foundation e-learning.
- CITY OF YORK COUNCIL: There is no systematic data sharing training in place; no IG training needs analysis to identify the requirement for staff training.
- SOUTHERN HEALTH: Not all staff who process SARs have had sufficient training on how to apply exemptions to the DPA effectively.
- NOTTINGHAMSHIRE COUNTY COUNCIL: IG training does not sufficiently cover the eight principles, the recognition and handling of SARs and data sharing (what does it contain then!).
- NORTHAMPTONSHIRE COUNTY COUNCIL: Mandatory, completion target for this training was 100% (completion rate at the time of audit is only 62%).
Getting training procedures in place and improved numbers with respect to current DPA training is something that can be done now; such steps become essential once the GDPR is law. Data controllers can also imagine that it won’t be long before a serious incident occurs because staff were not sufficiently trained and this results in a monetary penalty.
However, one thing is abundantly clear: training, training quality and proving staff have been properly trained is high on the ICO’s enforcement agenda.
If you are seeking insights like the above, Amberhawk holds all day GDPR Regulation Workshops in London , Leeds, Douglas (Isle of Man) and Edinburgh in the next three months; details on http://www.amberhawk.com/bookevents3.asp
To train your Data Protection Officer, we have a BCS DP Practitioner Qualification (starting in London on July 12). Need to know more about information security management: BCS Foundation CISMP course starts in London on June 13. Full details of courses from September (e.g. FOI, Foundation DP courses) are on the Amberhawk home page: www.amberhawk.com
West Dunbartonshire Training Enforcement Notice: https://ico.org.uk/media/action-weve-taken/enforcement-notices/1624089/west-dumbartonshire-council-en-20160428.pdf