Two Data Protection Horror Stories to Keep You Awake At Night
This article has been published in the Summer 2018 edition of Solo - the journal of the Sole Practitioners Group.
As yet, no one knows the real downsides of the GDPR as it remains to be tested. The general principles under the GDPR and the Data Protection Act 2018 (“DPA 2018”) are generally more comprehensive and exacting than under the Data Protection Act 1998 (“DPA 1998”) which they replace, and the powers of the Information Commissioner's Office (“ICO”) more extensive. However, what about the more ordinary issues with data protection; leaving papers on your desk overnight or cc-ing a number of people, even colleagues, into an email instead of bcc-ing them. Well, here are two horror stories which may keep you from sleeping (even though they were dealt with under the old legislation).
The Data on the Desk or Otherwise Unsecured Personal Data
The ICO fined Bayswater Medical Centre £35,000 for contravention of the Seventh Data Protection Principle.
On 24th May 2018, the ICO fined the Bayswater Medical Centre (“BMC”) £35,000 under section 55A of the DPA 1998 for a contravention of the Seventh Data Protection Principle.
The ICO had found that the severity of the breach merited a fine of £80,000, but this was reduced after BMC's ability to pay was taken into account. In February 2017, officers from NHS England visited BMC and found a large quantity of highly sensitive information left on desks, in unlocked cabinets and in bins. They ordered BMC to remove the information the next day.
An investigation by the ICO found that BMC had moved out of a former GP surgery, but continued to use the premises for storage purposes. Representatives of another GP surgery were allowed to visit the vacant building with a view to taking over the lease. Once inside, they found unsecured medical records and other sensitive information. The surgery informed BMC, but the owners took no action to secure the data.
Send individual emails or Bcc DO NOT cc
The ICO fined Gloucestershire Police £80,000 for contravention of Seventh Data Protection Principle.
On 11th June 2018, the ICO fined Gloucestershire Police £80,000 under section 55A of the DPA 1998 for contravention of the Seventh Data Protection Principle.
At the time of the contravention, Gloucestershire Police were investigating allegations of abuse relating to multiple victims.
On 19th December 2016, an officer involved in the investigation sent an email update on the case to 56 recipients by entering the recipient's email addresses into the "to" field, and did not activate the "bcc" function which would have prevented their details from being shared with others. Each recipient of the email was therefore able to see the full names and e-mail addresses of all the other recipients, who were individuals associated with Gloucestershire Police's investigation, including victims of childhood abuse.
An investigation by the ICO found that Gloucestershire Police had failed to send a separate email to each participant, and instead utilised the bulk email facility, failed to use the Microsoft Outlook "bcc" function, and failed to provide staff with any policies, guidance or training on bulk email communication and use of the "bcc" function, especially in relation to sensitive cases being investigated.
These inadequacies all amounted to a serious contravention of Principle 7 of the DPA 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.
It is not only having a policy and staff training that matters it is applying that policy and avoiding , so far as is possible, human error.
© Nicholas Woolf, Director and Principal, Nicholas Woolf & Co
22nd June 2018
This note comprises the view of the author as at 22nd June 2018. This note is not a substitute for legal advice. Information may be incorrect or out of date, and may not constitute a definitive or complete statement of the law or the legal market in any area. This note is not intended to constitute advice in any specific situation. You should take legal advice in specific situations. All implied warranties and conditions are excluded, to the maximum extent permitted by law.