British officials say the Alzheimer's Society has "a disappointing attitude" about safeguarding its clients' privacy and warns it faces prosecution if it fails to make improvements quickly.
The Information Commissioner’s Office (ICO) has given the organization, which is separate from the U.S.-based Alzheimer's Association, six months to comply with an enforcement notice that outlines the required improvements.
The Society says it is "the UK's leading dementia support and research charity for people living with dementia, their families and carers." But the ICO said it found that volunteers at the society were using personal email addresses to receive and share information about the charity's clients, were storing unencrypted data on their home computers, and were failing to store paper records securely.
ICO's head of enforcement, Stephen Eckersley, said the society must begin training volunteers properly and giving them the same support as employees.
“Anything less is unacceptable and, considering the vulnerability of the people who use the society’s services, we have acted,” Eckersley said.
The ICO's report said that a corps of 15 volunteers handled sensitive information about nearly 2,000 cases in recent years, including medical findings, treatment data, and other personal information.
The shortcomings were first identified in November 2014. The current enforcement order is being issued because the ICO said the organization did not respond properly to the earlier recommendations.