A recent data breach, in which emails revealed sensitive patient data, is reported to impact almost two thousand individuals and underscores the importance of a comprehensive data and cybersecurity programme.
What learnings can you take from the case to mitigate breaches at your organisation?
The data breach by the Charing Cross gender identity clinic, which supports adults with issues related to gender, is being treated as a serious incident by Tavistock and Portman NHS Foundation Trust, the NHS body responsible for the clinic. Those impacted may suffer understandable distress as they may be outed to their friends and family, and some patients may even potentially suffer serious danger to their wellbeing or even safety.
The breach is an unfortunate case of human error – the clinic's patient and public involvement team used the carbon copy (cc) rather than the blind carbon copy (bcc) functionality when sending out the emails. This scenario is not uncommon. However, notification to the Information Commissioner’s Office (ICO) of such an incident is not always required.
It is important for businesses to be able to ascertain quickly whether a data incident has occurred, and equally important to be able to determine whether the incident is likely to result in "a risk to the rights and freedoms of natural persons." If there is no risk, then the leak may be classed as a data incident and may not be reportable to the ICO. There has been a tendency, particularly following GDPR, for businesses to 'over-report' incidents to the ICO when it is not necessary. An emerging best practice where close judgment calls must be made is to engage data security lawyers to assist in evaluating the "rights and freedoms" test as it applies to a data incident to determine reporting requirements and whether incidents do or do not meet the notification threshold.
The Trust may face a significant fine from the ICO for its failure to keep its patients' personal information safe. Separately, given the type of sensitive information disclosed, those individuals affected may be entitled to compensation. A leak of this nature could attract more substantial amounts than the loss of basic data. However, the ICO will often take into account mitigating circumstances in each case when considering data breaches, which could help to minimise any fine.
Mitigating steps may involve being able to show the ICO that the relevant IT systems were in place to prevent unauthorised processing of data; that staff were provided with adequate and regular training/updates; and/or that satisfactory policies and processes are in place to ensure safe processing of data. Organizations should consider a comprehensive programme of data protection and cybersecurity to prevent these data incidents and mitigate any regulatory enforcement action. In this area careful documentation helps demonstrate these mitigating steps and for small and medium sized organisations its helpful to have a data protection and cybersecurity "systems integrator" such as a law firm or audit firm to organize and execute the program.
Many businesses have "GDPR indigestion" after spending large amounts looking at their systems, policies and procedures. However, these organisations must now develop the endurance because they are required to continuously monitor their compliance mechanisms and ensure that they are executed and updated.
With respect to email, you should:
When (not if!) a data breach happens it is important to have a rehearsed plan already in place. Organisations should have a procedure in place so that data incident response is structured and well-rehearsed and that the resources are pre-positioned to deal with the fall out. Consider hosting a Serious Data Breach training day for key staff.
In addition to a rehearsal, data breach planning should include:
A comprehensive Cybersecurity Resilience and Response Programme is so important and should provide clients with an integrated, multi-disciplinary legal and technical solution which is bespoke to their business. This includes a number of key elements such as assessments, certifications, contract reviews & remediation, health checks and penetration testing, training, investigations (including forensics), brand & reputation management, and litigation and regulatory assistance.
TLT's Data, Privacy & Cybersecurity team to assists clients in building organisational data resilience and effective incident response. Please do get in touch with Brian Craig, Lynsey Robinson or Claire Graham for further information or advice.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...