When a data protection breach is reported to the ICO, even if they decide there is no further action they need to take, they make recommendations which include ensuring staff are provided with regular communications in relation to the technical and organisational measures we have in place to ensure the security and confidentiality of personal data.
This month’s communication is in relation to the use of forms. We have lots of blank form templates which you may need to complete from time to time or on a regular basis. These could be external, where we ask members of the public to provide their information so that we can supply them with a service, or internal, where you or your manager might need to complete a form containing your own personal data.
If you are using a form template as an end user (ie, when you are populating it) it is very important that you download the form and save it with a different name (and adopting a strong naming convention) to avoid personal data being accidently disclosed. The form should then also be stored into a different location from the blank form template, – to minimise the risk of a prepopulated form being attached in error. Please make sure you always follow this process and do not attempt to edit a form on line or on Molly. This will also prevent you sending what you believe to be a blank form internally or externally, only to find it contains the personal data of a third party. If you come across any template forms on Molly that you discover you can save directly into the template available on Molly, please delete all personal data within it and report it straight away to your Business Manager.
As we have recently had some breaches of this nature please can we ask all Information Asset Owners/BMTrs to carry out the following actions:
- Check any form templates you have on Molly/The Website/ and, if accessible, the S:Drive to ensure that they are stored in the correct location and they are blank.
- If you identify any data protection issues following this check please report to Tom.
- Have a list of relevant forms with confirmation of where they are stored and what protective measures are in place for each (eg, locking the template form for editing).
- For all forms that are designed to include special category or other high risk personal data, have a written procedure in place for staff to follow – e.g. for attaching blank forms from a single folder. Please also ensure that this procedure is communicated to all relevant staff by way of introduction and regular reminders.
If you have any questions or would like to discuss this further please contact Tom or Kate.
Tom.Penlington@molevalley.gov.uk or Kate.Butcher@molevalley.gov.uk.