Handling personal data – recent guidance from the ICO

Last week the ICO presented a webinar on data security breaches and some of the steps that they expect organisations to take to prevent them. We’ve summarised the key guidance given.

The ICO recently presented a webinar on how Local Authorities can avoid data security breaches. The webinar provided some useful guidance which will apply to all organisations processing personal data. We’ve summarised the key points below.

95% of all breaches reported to the ICO relate to data security. The most common causes of these breaches are:

  • Lost or stolen data; and
  • Data disclosed in error.

The ICO accepts that human error is inevitable. However, they expect that organisations will have taken steps to minimise the risk of human error occurring or, if it does occur, causing a security breach. In other words, they expect you to have taken all reasonable “technical and organisational” measures.

The technical and organisations measures that organisations should take include the measures that you might expect, such as implementing physical and electronic security and appropriate policies and processes.

Perhaps the less obvious steps highlighted were:

  • Periodic risk reviews and risk analysis;
  • Training and more general internal awareness raising (for example, using posters or email reminders), particularly where employees are regularly dealing with personal data and might otherwise become ‘desensitised’ to it; and
  • Data minimisation – only processing what the organisation needs and only giving it to those internally who need to see it.

The ICO will be less likely to pursue action against a data controller in the event of a breach by a data processor if the controller:

  • has put in place appropriate data processing clauses;
  • monitors the processor’s compliance with those clauses; and
  • provides clear instructions as to how the processor must process the data.

Paper is harder to secure than electronic documents. Therefore, where employees take paper files outside of the office, the ICO expects that:

  • Taking the papers out of the office is necessary (not just ‘useful’, for example – something to be reading on a commute home);
  • The papers will be taken directly to and from their destination (but not, for example, left in a car whilst the employee goes shopping, or taken on a detour to a pub or restaurant); and
  • The papers will be transported in a suitable bag (ideally a lockable bag).

Possibly the most interesting piece of guidance is the point regarding paper documents – lots of employees do take materials out of the office on a purely ‘convenience’ basis, and this guidance gives some food for thought as to the circumstances in which organisations should permit them to do so.

If you need further advice about data protection law, please do get in touch with one of our data protection specialists.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.

Elaine Fletcher


I specialise in data protection and freedom of information law. I believe that compliance done well is a business facilitator not a blocker, and that privacy by design brings commercial benefits.