The Alzheimer’s Society faces prosecution if it fails to make changes and improvements to the way it handles personal data.
The Information Commissioner’s Office has given the charity six months to comply with an enforcement notice that specifies required improvements.
The order was issued after the ICO found that volunteers at the society were using personal email addresses to receive and share information about people who use the charity, were storing unencrypted data on their home computers and were failing to keep paper records locked away.
The ICO also found that volunteers were not trained in data protection, the charity’s policies and procedures were not explained to them, and they had little supervision from staff.
ICO head of enforcement Stephen Eckersley said: “In failing to ensure volunteers were properly supported, this charity showed a disappointing attitude towards looking after very sensitive information.”
He said volunteers play an important role in the charity’s work and must be given the support to handle personal data as safely as paid employees do.
“Anything less is unacceptable and, considering the vulnerability of the people who use the society’s services, we have acted,” Eckersley said.
The failings concerned a group of 15 volunteers recruited in 2007 to help dementia sufferers and their families or carers seek NHS healthcare funding. Between them, the volunteers handled 1,920 cases over a seven-year period.
As part of their role, they drafted reports including sensitive information about the medical treatment, care needs and mental health of the people they were trying to help.
Although the charity has made improvements since the shortcomings were identified in November 2014, the ICO said it had issued the enforcement notice because more needs to be done.
“Our investigation revealed serious deficiencies in the way the Alzheimer’s Society handles personal information,” said Eckersley. “Some of these have been addressed, but the extent and persistence of the charity’s failure to do as we have asked means we must now take more formal action.”
As well as issues around the security of personal data, the charity’s website was hacked in 2015, putting at risk about 300,000 email addresses, 66,000 home addresses, phone numbers and some dates of birth.
The ICO made a series of recommendations after the website hack. Although the charity implemented most of these, the ICO said it did not undertake manual checks of its website, which it said is crucial in detecting vulnerability.
The ICO found that the charity had failed to implement fully all recommendations made following the theft of unencrypted laptops in 2010, and in audits in March 2013 and March 2014.
If the charity does not comply with the enforcement notice, it could face prosecution, the ICO said.
The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. It has the power to impose a monetary penalty on a data controller of up to £500,000.