Data Protection and Coronavirus – ICO Guidance

Data Protection and Coronavirus – ICO Guidance

The Information Commissioner’s Office (ICO) has issued guidance around data protection and coronavirus, recognising the “unprecedented challenges” we face during the pandemic.

On the whole, the ICO is taking a commonsense approach. They state that measures taken should be proportionate: “if something feels excessive from the public’s point of view, then it probably is.”

Here’s a short summary of the guidance provided by the ICO on data protection and coronavirus:

  • The ICO understands that data protection standards may not be as high during this time because resources are being diverted away from compliance work. Organisations won’t be penalised if they need to adapt their usual practices.
  • Data protection laws do not prevent people working from home, which many will do during the pandemic. The same security measures should be considered for homeworking as at the workplace.
  • Staff should be informed about cases of coronavirus at your organisation. Individuals do not need to be named, however; provide no more information than is necessary.
  • There’s no need to collect significantly more health data about your employees. While you have an obligation to protect their health, you should not collect more information than you need and can take a commonsense approach to this.
  • Rather than attempting to handle things internally, a better approach may be to ask people to consider and follow government advice – for example, calling the NHS on 111 if they have visited a badly affected country or are showing symptoms of the virus.
  • It’s fine to share employee health data with the authorities if necessary – although it’s unlikely you’ll need to do so.

You can read the full guidance from the ICO here.

This is certainly a difficult time for people and organisations, but on the matter of data protection and coronavirus, it’s important to be sensible. Don’t take unnecessary measures; make sure that your response is proportionate.

If you have any more questions about this or any other subject relating to data protection, get in touch with us today and our consultants will provide all the advice you need.

First UK GDPR fine issued

First UK GDPR fine issued

The first UK GDPR fine has been issued by the Information Commissioner’s Office (ICO). A fine of £275,000 was issued to Doorstep Dispensaree Ltd, a pharmacy based in London which supplies medicine to care homes.

The fine was issued on 20th December 2019 after an investigation by the Medicines and Healthcare products Regulatory Agency (MHRA). Although the MHRA was investigating other issues, they found an estimated 500,000 documents containing personal data left unsecured in an outside courtyard at the pharmacy’s premises.

The documents were apparently found in storage crates, a cardboard box, and disposal bags. According to a report from mondaq:

These were neither secure nor marked as confidential waste. Although the courtyard where the documents were found was locked, it could still be accessed from residential flats via a fire escape, leaving the documents vulnerable to potential unauthorised or unlawful access. The ICO also confirmed that some of the documents were found to be “soaking wet, indicating that they had been stored in this way for some time” and that this “careless” storage failed to protect the documents from accidental loss or damage.

 

The personal data included care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions. As information relating to an individual’s health is classified as special category personal data under the GDPR, its sensitivity requires more stringent security measures to be in place to provide additional protection. Consequently, the pharmacy’s failure to ensure appropriate security for this data was considered to be a serious breach of the GDPR.

There are many important things to note from this first UK GDPR fine:

  • While £275,000 is a significantly greater fine than anything issued pre-GDPR, it is also far short of the maximum possible. This is because the ICO has taken into consideration the size and financial position of Doorstep Dispensaree Ltd to make the fine “effective, proportionate and dissuasive”.
  • The data involved was not breached, but was stored in a dangerous way that was non-compliant with GDPR. The ICO is not merely looking at breaches, but overall compliance.
  • GDPR does not only apply to data stored digitally, but hard copies as well. Physical documents should be stored safely and securely, and properly disposed of as well.
  • Data controllers are required to protect data against damage or accidental loss; apart from questions over security, it is clear that storing documents outside in a cardboard box will insufficiently protect them from damage.
  • According to a report from Lexology: “The Commissioner noted that the pharmacy’s data protection documents were out of date, inadequate or were generic templates. They did not have a retention policy.” So there were other failings at the pharmacy, which showed little compliance with GDPR in any way.

Our GDPR Consultants can always advise an organisation about what they must do to become GDPR compliant. If Doorstep Dispensaree Ltd had obtained external, professional advice about data protection, they might have been able to avoid this fine.

If you have any concerns about compliance at your organisation, get in touch with us today and we’ll work with you on your data protection programme.

Dixons data breach leads to £500,000 fine

Dixons data breach leads to £500,000 fine

A Dixons data breach has led to the company being fined £500,000 by the ICO. At least 14 million people were affected after malware was installed on computer systems, allowing hackers to steal customers’ personal data.

The malware was installed on “point of sale” tills at stores for Currys, PC World, and Dixons travel. In addition to names, email addresses, and postcodes, the hackers also gained access to 5.6 million card details.

According to The Guardian:

Steve Eckersley, the ICO’s director of investigations, said the ICO had found “systemic failures” in the way Dixons Carphone looked after its customer data. “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” he said.

This demonstrates the importance of cybersecurity in today’s digital age. Dixons has made basic errors in its approach – despite the area of business it is in – and is now paying the price.

However, the fine could have been much greater. This Dixons data breach took place between July 2017 and April 2018, just before GDPR came into force. As a result, Dixons has been fined the maximum amount for a breach of the Data Protection Act 1998 instead, for which the penalties are much less severe.

For comparison, British Airways was fined £183 million for a data breach last year. Dixons has been fortunate in this case – although the same cannot be said for their customers. The Guardian goes on:

Eckersley said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

 

Alex Baldock, the group chief executive of Dixons Carphone, said the company disputed some of the ICO’s findings and was considering its grounds for appeal. The company had, he said, made significant investment in its information security systems and processes. There was “no confirmed evidence of any customers suffering fraud or financial loss as a result”, he added.

 

“We are very sorry for any inconvenience this historic incident caused to our customers,” said Baldock. “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”

Click here to read The Guardian’s article in full.

Dixons has, at least, responded to the data breach in the proper way by notifying the ICO and doing what they could to limit the damage. Their cybersecurity failings, however, were considerable, and will hopefully be learned from.

Our GDPR consultants are here to help if you have concerns about your own data protection programme. Get in touch with us today to find out what we can do for you!

New Years Honours addresses published

New Years Honours addresses published

In an embarrassing slip-up for the British government, the addresses of more than 1000 New Years honours recipients have been published online. The file was apparently uploaded to an official website on Friday evening before being taken down again on Saturday.

Those who had their details leaked included politicians, senior police officers, and a number of celebrities – including Sir Elton John, cricketer Ben Stokes, and TV cook Nadiya Hussain.

In his analysis for the BBC, Rory Cellan-Jones writes:

There is no doubt that this is a serious data breach and the government, of all organisations, should be better acquainted with the law on disclosing sensitive personal information.

But while some of the celebrities and the police officers awarded honours may be concerned about their privacy and security, it would have been far more serious if the home addresses of those on the list of gallantry awards had been leaked.

The Information Commissioner’s Office has so far only levied one fine under the new Data Protection Act which came into effect in 2018 – a London pharmacy was fined £275,000 for careless storage of the very sensitive medical data of half a million people.

Lawyers who specialise in data protection think the ICO will see this as a less serious case of human error and may let the Cabinet Office escape with a warning about improving its practices.

But they say much now depends on the attitude of those who have seen their data leaked – they could decide to bring civil claims against the government for putting in the public domain information many of them have been determined to keep private.

You can read the full BBC report here.

This is again a demonstration that it is not just private businesses that can run afoul of data protection laws. Public bodies – including the government – can do so as well.

It’s extremely worrying that a breach like this can happen. Announcing the New Years Honours list is a high-profile event, as are many of the people included on the list. This could have serious consequences.

Although Cellan-Jones believes the Cabinet Office may get off lightly with just a warning, it remains to be seen how the ICO will respond. But whatever happens next, data protection practices should definitely be looked at closely within government.

If you’re concerned about your own data protection measures, get in touch with Activa Consulting today and let us help you improve your organisation!

Brechin High School shares pupil data in assembly

Brechin High School shares pupil data in assembly

There has been outrage after a Scottish school, Brechin High School, shared the personal data of about 50 pupils with other students at an assembly. The data, concerning disabilities and mental health, was included on a slide about such conditions as autism and ADHD.

The BBC reports that:

The presentation covered how pupils can prepare for prelim exams in January.

It then detailed how exam arrangements for children with additional support needs would be different, and listed individual pupils.

The incident is a flagrant breach of GDPR. The personal data of children is considered sensitive as they are vulnerable individuals – and the same applies to the data of people with mental health issues and disabilities.

To share this data with others is therefore a clear breach of data privacy laws. This incident has put these pupils at risk, as well as being a clear breach of trust. The BBC continues by noting that:

Angus Council said the school’s head teacher was contacting the parents of the pupils whose details were shared.

A spokesman said the incident was “unacceptable” and should not have happened “under any circumstances.”

He said: “We apologise for the obvious upset and concern this has caused, particularly to those young people whose details were shown.

“Inquiries are under way to establish the full circumstances of this isolated incident and whether any individual learning requires to be provided.”

The council said the UK Information Commissioner had also been advised of the incident and “appropriate support” would be provided to the pupils affected.

While it’s positive that Brechin High School has recognised its mistake, this is little comfort to those affected. The damage has already been done, and the ICO will respond accordingly.

The school should look first and foremost into how the incident happened in the first place, and identifying whether its staff had sufficient data protection training. The incident shows that there was a clear lack of awareness around certain issues.

If you’re concerned about your employee’s understanding of data protection, contact us today. Our Staff Training services will improve their knowledge and equip them with the awareness to change their actions, minimising the risks to your business and allowing them to confidently handle personal data.