A few days ago, the UK data protection watchdog (ICO) released a warning to organisations that employ temporary or agency workers. The ICO warned that employers must ensure that a temporary worker, who is involved in the handling of personal data, has been provided with adequate data protection training.
This warning follows the telling off given by the ICO to the Great Ormond Street Hospital Children NHS Foundation Trust (GOSH), after 3 out of their 4 recent data breaches involved temporary staff sending letters (containing medical information) to the wrong address.
Sally Anne Poole (the ICO’s Enforcement Group Manager) said in a News Release issued by the ICO: “This time of year often coincides with a rise in the number of temporary workers being employed across the UK. However the temporary nature of their employment doesn’t absolve employers of their legal responsibilities for making sure people’s information is being looked after correctly.”
So what does this mean for employers? Well, it means you will need to invest in proper data protection training for temporary or agency workers as well as for your full time staff. This can be a costly exercise, especially where a temporary worker is only taken on for limited period.
Employers could consider developing a “one pager” of data privacy “do’s and don’ts” which can be provided to temporary workers when they start. Or perhaps, the temporary worker agency could provide data protection training to workers, so that they are “data protection ready” when they start their placement with an organisation. But it is ultimately the employer who remains responsible for making sure that its staff (permanent and temporary) are adequately trained in data protection to ensure that the information they hold about people is being looked after correctly.
The Chief Executive of GOSH has signed an Undertaking by which GOSH promises the ICO that “temporary staff are provided with sufficient data protection training before they carry out work that involves regular contact with personal data, especially sensitive personal data“. According to GOSH’s undertaking, the ICO decided not to serve an “Enforcement Notice” on GOSH due to the “remedial action” that was taken. It is not clear what this “remedial action” was, but since a warning has now been released by the ICO, it seems prudent for employers to make sure their training policies are adequate and the scope of such training is expanded to cover all employees (full time or part time) that handle personal data, so as to avoid being next in line.
Thank you to Danielle van der Merwe for assisting in writing this post.