The Information Commissioner’s Office has served an enforcement notice on the Alzheimer’s Society and criticised the charity for displaying a "disappointing attitude" towards handling the sensitive personal data of its beneficiaries.
The enforcement notice was issued to the dementia charity on 5 January after an investigation launched by the ICO in November 2014 found that its volunteers were using personal email addresses to receive and share information about beneficiaries, storing unencrypted data on their home computers and failing to keep paper records locked away.
The regulator also found that the volunteers had not been trained in data protection, that the charity’s policies and procedures had not been explained to them and that they received little supervision from staff.
The ICO said the charity could face prosecution if it failed to comply with the enforcement notice.
The failings identified by the ICO concerned a group of 15 volunteers who helped 1,920 dementia sufferers and their families or carers seek NHS healthcare funding between 2007 and 2014.
The volunteers drafted reports that included sensitive information about the medical treatment, care needs and mental health of beneficiaries.
The ICO said that although the charity had made improvements since the shortcomings were first identified more than a year ago, the enforcement notice had been issued because the regulator felt the charity needed to do more.
It said the Alzheimer’s Society website was hacked last year and the society had subsequently failed to comply with the ICO’s recommendation to carry out manual checks of the site – the enforcement notice would now require it to do so, it said.
The ICO said the charity had also failed to fully implement previous recommendations it had issued.
In 2010 it signed a formal undertaking with the ICO agreeing to a series of security measures after several unencrypted laptops containing the personal details of 1,000 staff were stolen during an office burglary.
In March 2013 and March 2014 the charity was audited by the ICO and received several recommendations to improve its data security. A spokeswoman for the ICO declined to specify which recommendations the charity had not complied with.
Stephen Eckersley, head of enforcement at the ICO, said in a statement: "In failing to ensure volunteers were properly supported, this charity showed a disappointing attitude towards looking after the very sensitive information that people trusted them with.
"Our investigation revealed serious deficiencies in the way the Alzheimer’s Society handles personal information. Some of these have been addressed, but the extent and persistence of the charity’s failure to do as we’ve asked means we must now take more formal action."
A statement from the Alzheimer’s Society said that the charity had failed to comply with only two of 20 recommendations made by the ICO in its 2013 audit and that it would address these as a priority. It said it was rolling out an "information asset register" that would be ready later this year.
Brett Terry, director of people and organisational development and senior information risk owner, said: "We are very sorry that data breaches have occurred. We have taken a number of steps to build on and improve our technology systems and processes to ensure that we meet and exceed both ICO guidance and industry standards.
"We would like to stress that, after comprehensive checks, to the best of our knowledge no personal data has been compromised."