Alzheimer's Society responds to ICO Enforcement Notice
Published 7 January 2016
The Information Commissioner’s Office (ICO) has issued an Enforcement Notice to Alzheimer’s Society in light of two recent security breaches.
One breach concerned data collected by volunteers and one concerned our
website. We want to sincerely apologise that these lapses occurred, and offer reassurance that, after comprehensive checks, we are not aware of any personal data having passed into the public domain.
These lapses should not have happened. We have taken steps in line with the ICO’s recommendations to do all we can to ensure that nothing like this happens again. We have strengthened existing procedures to ensure that all volunteers who have access to personal data receive mandatory data protection training so that they are aware of how to handle personal data. Training completion is monitored for compliance.
Regarding our website, we took swift and immediate action as soon as were aware of a breach. We have taken advice from an independent cyber security specialist and our auditors to ensure that we have the best technical measures in place to protect our website data. The hack referred to in the notice was exploratory and there is no evidence to suggest it was malicious. After a full and comprehensive analysis, we are not aware of any personal data having been compromised. We have since upgraded our website to ensure we are fully in line with compliance standards and best practice in the industry. We are surprised that the ICO refers to manual checks not being undertaken – we have and do run manual checks including penetration testing. We have previously notified the ICO about this.
In response to concerns over the two as yet uncompleted recommendations out of the 20 made by the ICO in their 2013 audit, we are continuing to address these as a priority. We have heavily invested in the capacity and capability of the organisation. We have since established a comprehensive Risk Management programme and are in the process of rolling out an Information Asset Register, due for completion in 2016.
Brett Terry, Director of People and Organisational Development and Senior Information Risk Owner, said:
'We are very sorry that data breaches have occurred. We have taken a number of steps to build on and improve our technology systems and processes to ensure that we meet and exceed both ICO guidance and industry standards.
'As an organisation, we exist to support the most vulnerable in society. We take this responsibility, which includes data protection, extremely seriously. We want to reassure our supporters and wider stakeholders that every measure is being taken to ensure their data is kept safe.
'We would like to stress that, after comprehensive checks, to the best of our knowledge no personal data has been compromised.'