Many incidents stem from the measures that were put in place when COVID-19 first hit. Due to many organisations adopting hybrid working, many of the new technologies and ways of working implemented at the start of the first lockdown remain. Problems include, for example, employees accidentally sharing a confidential email by forgetting to close down Outlook prior to screensharing, and failing to set permissions correctly when using new software which meant staff could access information they did not have authority to see.
Organisations should ensure they are satisfied that the platforms are configured correctly and that staff are given appropriate training on how to use new platforms.
Information security continues to be the area of greatest risk in terms of data protection compliance and it remains the case that the majority of ICO fines for data protection breaches are as a result of security incidents. Organisations must ensure that they put in place technical and organisational measures to safeguard personal data.
The ICO have recently handed out fines to a Scottish HIV charity and the Cabinet Office. Both are useful illustrations of how things can go wrong and also the ICO's expectations around what organisations must do in practice to safeguard personal data.
The Charity sent an email to a number of individuals, but their email addresses were visible to all recipients because they were mistakenly put into the CC field when they had intended to use BCC. The ICO had concluded that it could be inferred that the individuals were HIV positive or at risk of contracting the virus and this was a significant aggravating factor.
The Charity had an awareness of data protection compliance (for example, by providing annual training), but the ICO still had a number of concerns including:
The Cabinet Office was fined because they published the New Year 2020 Honours List on GOV.UK. The file remained accessible for 2 hours and 21 minutes after publication, in which time the data was accessed 3,872 times.
These cases illustrate that if a breach is considered to be serious enough then the ICO will closely scrutinise the measures that were in place prior to the incident and will, for example, carefully assess the effectiveness of any training and policies that were in place. Key takeaways: