• Contact Us

Breach Reporting - A Reminder

on Thursday, 12 May 2022.

We are seeing more organisations contact us because they are concerned that they have suffered a data breach. Here is a breakdown of how you can avoid a similar outcome.

Many incidents stem from the measures that were put in place when COVID-19 first hit. Due to many organisations adopting hybrid working, many of the new technologies and ways of working implemented at the start of the first lockdown remain. Problems include, for example, employees accidentally sharing a confidential email by forgetting to close down Outlook prior to screensharing, and failing to set permissions correctly when using new software which meant staff could access information they did not have authority to see.

Organisations should ensure they are satisfied that the platforms are configured correctly and that staff are given appropriate training on how to use new platforms.

Increased Fines for Data Protection Breaches

Information security continues to be the area of greatest risk in terms of data protection compliance and it remains the case that the majority of ICO fines for data protection breaches are as a result of security incidents. Organisations must ensure that they put in place technical and organisational measures to safeguard personal data.

The ICO have recently handed out fines to a Scottish HIV charity and the Cabinet Office. Both are useful illustrations of how things can go wrong and also the ICO's expectations around what organisations must do in practice to safeguard personal data.

What Are the Reasons for the Fines?

The Charity sent an email to a number of individuals, but their email addresses were visible to all recipients because they were mistakenly put into the CC field when they had intended to use BCC. The ICO had concluded that it could be inferred that the individuals were HIV positive or at risk of contracting the virus and this was a significant aggravating factor.

The Charity had an awareness of data protection compliance (for example, by providing annual training), but the ICO still had a number of concerns including:  

  • Although staff were directed to read the Charity's public facing privacy notice, there was no dedicated policy covering the handling of personal data by staff.
  • Whilst staff were expected to complete a data protection training module, it appeared that new staff were allowed to handle personal data prior to completing their data protection training.
  • The Charity was already in the process of implementing a secure way of sending bulk emails which would have negated the need to use BCC. Due to the new method not yet being in place, the ICO saw this as an aggravating factor because the Charity were aware that BCC was not secure but had decided to continue to use it in the short term.

The Cabinet Office was fined because they published the New Year 2020 Honours List on GOV.UK. The file remained accessible for 2 hours and 21 minutes after publication, in which time the data was accessed 3,872 times.

How to Avoid a Fine

These cases illustrate that if a breach is considered to be serious enough then the ICO will closely scrutinise the measures that were in place prior to the incident and will, for example, carefully assess the effectiveness of any training and policies that were in place. Key takeaways:

  • Policies - Make sure that your data protection policies provide meaningful and relevant guidance for staff.
  • Training - By the same token, you should check that the training you are giving to staff is sufficient and that new staff have had the training before they are allowed access to personal data. Once staff have started, it is important that formal refresher training takes place annually.
  • Pitfalls of Using BCC - The HIV Charity fine confirms (as if such confirmation was needed) that relying on BCC to send bulk emails is insufficient for data protection compliance. The risks of someone making a mistake (as happened here) are too great. Instead software should be used that allows emails to be sent to multiple recipients in a secure way. Many CRM or information management systems come with this functionality, so hopefully this should be easy for organisations to implement where it is not already in place.
  • Sign-off Procedures - Ensure that you have sufficiently robust procedures in place around the publication of personal data. This is a small step that can prevent a data breach.
  • Testing New Software - It is important to test any new software before your organisation fully implements it.

If you require any further information or have any questions about data protection breaches, please contact Andrew Gallie in our Information Law team on 07467 220831, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input