How safe is your data?
Housing organisations hold a vast amount of personal data about tenants and staff - is yours doing enough to keep it safe? Andrew Myatt, director of communities and housing at Tai Calon Community Housing in South Wales, shares how Tai Calon has overcome the challenges of data protection.
I would like to tell you about our data protection journey - the challenges we faced and overcame as well as how we manage our data and personal information.
However, first, let me tell you a little about Tai Calon which celebrated its fourth birthday in July. We own and manage just over 6,000 homes and are based in the beautiful valleys of South Wales, around 30 minutes away from Cardiff.
We are the largest social landlord in Blaenau Gwent, which is the smallest county in Wales.
We, like every other organisation, hold, use, exchange and share a vast amount of personal and sensitive information. As a consequence we face risk over how we store, manage and exchange this data.
While we have formal protocols in place with some of the organisations we share information with, what happens the rest of the time?
We decided to take a long hard look at what we do and don’t do. I would suggest you do the same - you may be very surprised at what you see and hear.
- what information is regularly left on desks that anyone could see and read?
- Do the computer screens shut down when staff are away from their desks?
- What’s been left on the dashboards or front seats of the vans or cars used by your own staff or contractors?
- As well as looking – listen. . . who is discussing what for all to hear in your reception or staff kitchen?
- How private are your interview rooms?
- Who can access the different areas of your building? Is anyone allowed to wander where they want?
- And, how good are you at managing people in and out of your buildings?
However, for us, things came to a head two years ago. A small mistake by an outside company and a member of staff led to limited, but sensitive personal information being released to a third party without permission.
We immediately reported the breach to the Information Commissioner’s Office as well as our own industry regulator. Importantly we also explained what we were doing to learn and to do better.
We commissioned an external auditor to review our handling of the specific case. They also examined our wider process and policies in terms of how we manage and secure personal data. In reality this meant setting up an internal project team, sponsored by me but supported by Paula Tighe at Wright Hassall
Its’ been a tough 18 months. I cannot over emphasise how much work has been done but it has been worth it. Some of our highlights are that we now have:
- Fully trained staff – who understand the law, our systems/processes and importantly their responsibilities
- Front line, customer facing, managers are now accountable for data management – it's no longer seen as a back office role
- Tenants understand the issue better and how it can impact on what service we can give
- All visitors are well managed and only have access to the areas where they really need it
- We have redesigned our office so that personal information cannot be inadvertently seen from public areas
- We have a comprehensive new suite of policies, processes and governance documents
- We regularly test our systems, and
- Continue to strive to improve.
What happened to us was an innocent mistake - however, it could have had very serious consequences for us as a business and for the person affected.
I cannot emphasise enough the importance of constantly reviewing and improving your systems of handling sensitive data.
Don’t delay, start the process today - before something happens!