One of the key changes to the ISO 9001 standard when it was up-issued in 2008 was the inclusion of personal data within the context of ‘customer property’ (clause 7.5.4). That clause requires ‘organisations to exercise care with customer property whilst it is under the organisation’s control or being used by the organisation’. The change was welcomed by many after some very well publicised ‘lap top left on train’ incidents.
Now the Information Commissioners Office (ICO) is urging businesse to review their policies for handling personal data following the issue of a £150,000 fine to the Nursing and Midwifery Council for a breach of the Data Protection Act. It is understood that the fine relates to the loss of 3 DVD’s containing data relating to a misconduct hearing including confidential personal information. The data contained on the DVD’s had also been stored in unencrypted format meaning it was accessible to all.
David Smith, Deputy Commissioner and Director of Data Protection, said: “It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again.
“While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.”
As auditors we need to assure ourselves that organisations have robust procedures in place to ensure that this type of data is identified, is handled in line with statutory and standard requirements and that staff involved fully understand those requirements and are able to deliver against them.