Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Organising effective internal data protection training [1999] PLBIRp 30; (1999) 49 Privacy Laws and Business International Report 12

Organising effective internal data protection training

A report by Robert Waixel

COMMUNICATING your data protection policy and procedures within your organisation is often challenging as colleagues may not regard data protection as important. The Royal Society for the Prevention of Cruelty to Animals uses a mixture of training methods to get the message through.

Sharon Rowland, Information Protection Officer at The Royal Society for the Prevention of Cruelty to Animals (RSPCA), explained to the Privacy Laws & Business 12th Annual International Conference in June how to market data protection training, which training materials to use, and how to arrange training that achieves results.

RSPCA IN A NUTSHELL

The RSPCA is the leading charity for the protection of animals in England and Wales. (Scotland has its own similar organisation). Sharon Rowland told the conference that the RSPCA operates on a much larger scale than many people realise, handling 1.3 million calls a year for advice on welfare about particular animals. To do this, it employs 1,500 staff throughout England and Wales who work in ten Regional Headquarters, and at the national headquarters in Horsham, West Sussex.

The RSPCA also runs 15 Animal Hospitals and Wildlife Hospitals. There are 194 branches, each organised as separate independent local charities. The society's 326 inspectors investigate potential animal welfare offences, which may lead to prosecution. In addition, the organisation provides advice to members of the public, and organises campaigns to improve animal welfare.

WHY DOES THE RSPCA NEED A DATA PROTECTION OFFICER?

"Although the principal business of the RSPCA is animals, it still handles a significant amount of information about people," Sharon Rowland told the conference. "The 1,500 staff have, like all staff, personnel issues. In addition, we hold membership data on about 55,000 members."

A large amount of fund-raising is done by direct marketing which builds up the amount of personal data processed by the organisation. Particularly sensitive data, both in legal (Data Protection Act 1998) and ethical terms, is collected in relation to potential offences and prosecutions, as well as convictions. Often the RSPCA is the only central source of such information.

For an organisation of its size, the RSPCA receives a relatively high number of formal subject access requests, some 15 per annum, and also a high number of disclosure requests relating to prosecution data.

TRAINING BY A MIXTURE OF METHODS

The RSPCA Data Protection Officer is based in the Information Systems Department, and liaises regularly with the Legal Department, but also with all other departments. It is also important to keep in touch with regional sites and other charities. In all cases, in common with many other organisations, the RSPCA Data Protection Officer provides both compliance advice and training - often simultaneously.

Again, as with many other organisations, a mixture of methods and media are used for internal training.

"We use written materials as well as training sessions for groups of all sizes down to one-to-one. The one-to-one training is particularly appropriate for temporary staff, work experience students and new managers. We also use our internal e-mail system (GroupWise), posters, and trickle training whereby we train a trainer, who in turn trains others, and so on," Sharon Rowland explained.

INDUCTION FOR ALL STAFF

Data protection issues have been incorporated into the general induction programme for all new staff. Data Protection awareness is included in the formal sessions, and part of the written information is already provided at this stage. The organisation uses cartoons in order to try to make this broad issue more approachable.

Other parts of their training programme include a one-day course called 'Information Protection Update'. It is run as part of the RSPCA's internal training scheme, where it is included amongst a wide range of other subjects (ranging from stress management to oil pollution of animals). There is a checklist to help participants decide how useful and relevant data protection training would be for them. Once a member of staff has participated in the course, there is a review to establish the relevance and usefulness of the training.

These courses are usually provided at the RSPCA training school. Any member of staff can apply, and most attend a number of times over the years, with subsequent visits refreshing and updating previous knowledge.

SPECIFIC AND AD HOC TRAINING

The RSPCA also organises specific and ad hoc training. These sessions can be arranged on request, and tailored for a particular department's needs in terms of content, timing and location. For example, the organisation runs specific training courses for those who wish to become trainee inspectors in the future.

The organisation also conducts training at the ten Regional Headquarters. A conscious effort has been made to 'take training to the people,' as it has been established that the training needs in regional offices are different from those at 'Head Office.'

"Senior Management are usually too busy to attend training courses, so there are regular briefing sessions at the Information Systems Steering Group (ISSG) meetings, and for Heads of Departments on the key issues requiring their attention. This is, of course, training in all but name," Sharon Rowland summarised.

In order to market data protection training, the organisation uses a course guide to communicate to the staff what is included in the particular course. Although the data protection course is open to all, those who handle personal data are, in particular, encouraged to attend.

The administration is done centrally thus encouraging the staff to attend. As a further encouragement to enrol, the organisation sends group e-mails as reminders of the course's existence, specifically targeted to the people with relevant responsibilities.

"The RSPCA training is conducted by using traditional presentation sessions with overheads, with many opportunities to ask questions. Many different media are used: there are handouts (including pre-course reading), visual aids, training videos and group exercises. We use both a feedback form at the end of the session, and provide follow-up support. The whole aim is to make a subject that is quite dry for many, as interesting, relevant, lively and memorable as possible," Sharon Rowland told the conference.

Training materials are also tailored to specific needs. Thus the Induction module on Data Protection, which is attended by every new employee, includes a data protection quiz. The topic is further explored in a module on Information Security. Handouts, which relate to the specific needs of different departments are also used. The 'new computer user' pack, and most other departmental manuals (e.g. Personnel) and procedures also contain material about Data Protection and Information Security.

THE INFORMATION PROTECTION CLUB - A NOVEL IDEA

"Training exercises are used to bring the attention of the class to a specific problem. One approach might be, for example, to consider membership registration. The class attempts, in groups, to decide the information which should be registered. The results are often surprising, especially compared with the actual registration, which goes into more detail than the participants might have expected. Another approach may be to consider particular scenarios taken either from the Data Protection Registrar's training video or from an RSPCA perspective, and consider how it should be handled. A further exercise is offered on IT security," Sharon Rowland said.

Training is not just the task of the Data Protection Officer at the RSPCA. A policy of trickle training ensures that training is also delivered through the formal chain of line management, i.e. Regional Managers. In most departments there is a local expert on data protection, and these people form an Information Protection Club. They are the holders of the RSPCA Information Protection Handbook (with fuller details of procedures, register entry, training modules etc), and form a first point of call for data protection queries and training within a Department. The club meets regularly two or three times a year to discuss problems and queries.

AWARENESS IS MAINTAINED BY POSTERS AND E-MAIL

Sharon Rowland stressed that maintaining awareness is just as important as initial and follow-up training. Posters are used in two ways. Firstly there are the general posters supplied by the Data Protection Registrar's Office. In addition, the organisation produces posters in-house. The internal posters are used to highlight the 'five key points' raised at the most recent local training course. E-mail is used to send "IT Security Messages" to all staff reminding them of good practice.

To further promote data protection training, the Data Protection Officer attends Branch Officers' and Regional Conferences to spread the word, make contacts, and answer questions and queries.

HOW TO MAKE TRAINING ATTRACTIVE

Sharon Rowland gave a few valuable tips on how to persuade staff to attend data protection training. Her five key points are:

1. Target the message and make it relevant.

2. Use the organisation's own language, style and culture.

3. Appeal to the staff's sense of professionalism and team spirit. This is especially relevant for a vocational organisation like the RSPCA.

4. Appeal to the individual's self interest. This needs tact, to avoid scaring individuals with their personal liability to prosecution.

5. Make it interesting. Keep individuals involved.

This report, based on Sharon Rowland's presentation at the Privacy Laws & Business 12th International Annual Conference in Cambridge, UK, held 28-30th June, was written by Robert Waixel. He is a Senior Lecturer in Computer Science at Anglia Polytechnic University, Cambridge, and can be contacted by e-mail: rwaixel@beta.csd.anglia.ac.uk. He is particularly interested in Computer Law, and all aspects of data protection policies, procedures and practice.