Staff are not being trained in how to handle personal data by their employers, despite a legal obligation to do so under the Data Protection Act according to a survey.

IT Governance has found that in a survey of 130 technology and compliance professionals, including CIOs, that 96 per cent of the organisations held customer or patient information and that 56 per cent held financial information, 39 per cent held sensitive personal information – i.e. ethnic or political affiliation – and 36 per cent held medical information. But only 55 per cent of the employees at these organisations had been trained on the legal responsibilities they had in their handling of that information.

“Under the Data Protection Act it is a legal requirement for organisations to safeguard personal information, but this can only be achieved with the support of employees,” said Alan Calder the IT Governance chief executive.

Carrying out its research IT Governance found that employees regularly side-stepped policies and procedures purely to do their jobs. IT Governance said this was because information management policies were either too obtrusive in design or implementation.

Organisations are aware of their responsibilities under the Data Protection Act, with over 80 per cent tasking an individual for data control and maintaining privacy. Documented procedures existed in 68 per cent of organisations polled; policies for protecting personal data existed in 82 per cent of organisations.

Earlier this year IT specialists Capgemini called for CIOs to put information management and policy back into their job role. In a study Capgemini found that the information culture in many organisations is broken, which in turn led to information management debacles like HMRC data loss.