Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form


Information Commissioner’s Office issues enforcement notice to the Alzheimer’s Society

Information Commissioner’s Office issues enforcement notice to the Alzheimer’s Society

Wednesday 24th February 2016

Share this article:

Charities & Social Enterprise News - Issue 20

On 5 January 2016, the Information Commissioner’s Office (ICO) issued an enforcement notice in respect of a number of serious failings in the way the Alzheimer’s Society handled sensitive personal data.

The failings primarily concerned a group of volunteers who were recruited to help sufferers and their families (or carers) to seek NHS healthcare funding. The 15-strong group handled 1,920 cases over a period of seven years, and in doing so they had access to sensitive personal data of such dementia suffers and their families/carers. The data included information used in drafting reports about the medical treatment, care needs and mental health of the dementia sufferers.

The ICO discovered among the failings that:

  • Volunteers were using personal email addresses to receive and share information about people who used the Alzheimer’s Society;
  • Volunteers stored unencrypted data on their personal home computers;
  • Volunteers failed to keep paper records locked away;
  • The Alzheimer’s Society had not trained the volunteers in data protection matters;
  • The Alzheimer’s Society had not explained its data protection policies and procedures to volunteers; and
  • There was a lack of supervision of staff.

The issues had been originally identified in late 2014 and required the charity to make improvements. While the Alzheimer’s Society has gone some way to make the necessary changes, the ICO remained concerned that more needed to be done. This, coupled with a separate breach in respect of a website hack in 2015 which put personal data of service users at risk, led to the issue of the enforcement notice.

In the enforcement notice, the ICO specifically noted that the failings amounted to a breach of the fifth and seventh data protection principles, relating to the length of time personal data should be kept and appropriate security measures respectively.

The ICO has given the charity six months to comply with the remedial steps set out in the enforcement notice, which include: the provision of secure email accounts and storage, appropriate organisational and technical measures against unauthorised staff access, provision of checking to ensure the security of the website and the provision of mandatory data protection training.

If the Alzheimer’s Society does not comply with the notice, it could face prosecution.

The Alzheimer’s Society has apologised for the failings and has issued reassurance that internal checks have shown that no personal data has ended up in the public domain as a result of the lapses. It also said that it was strengthening existing procedure to ensure training is passed to all volunteers and that compliance will be monitored.

This enforcement notice demonstrates that the ICO is not turning a blind eye to charities and whilst it will work with organisation, it will not shy away from issuing an enforcement notice if it does not consider improvements are being made fast enough. All organisations, including charities, who process personal data should ensure they are complying with the provisions of the Data Protection Act 1998. If there are any queries or concerns as to the nature or extent of your duties, or compliance with them, legal advice should be sought.

If you would like to discuss any of the points raised in this article please do not hesitate to contact:

Michael Winder

Associate, Commercial
Tel: 0151 600 3085