Information security continues to occupy first place in any sensible list of data protection risks. Fines for Data Protection Act infringements are almost exclusively reserved for information security breaches.
New technology brings new threats and the media is full of stories of organisations which have been the victim of complex cyber-attacks resulting in personal data about their customers or employees being stolen. Organisations are therefore well advised to keep abreast of the latest developments to ensure that their systems are secure.
Whilst there has been a lot of focus on some of the more sophisticated attacks, in our experience most breaches come about as a result of staff failing to get the basics right.
In this regard it is worth remembering that the Data Protection Act requires organisations to have in place both ‘technical’ and ‘organisational’ measures to keep personal data safe. In other words compliance is as much about data protection awareness, as it is about having clever technology.
Local authorities should therefore ensure that staff are given training on the information security basics and that this training is backed up with appropriate policies, procedures and written guidance. One of the trends we have seen recently is staff falling victim to ‘phishing’ emails (ie. where an email is made to appear as if it has come from a trusted source). These are being used to trick staff into releasing confidential information about individuals and staff should therefore be trained on how to spot such threats.
If cyber security remains one of the areas of greatest financial risk then, as any data protection officer will tell you, dealing with subject access requests (SARs) arguably takes up the most time and effort.
That individuals have a right to request a copy of the information an organisation holds about them remains one of the cornerstones of the Data Protection Act. A request might be made by a member of the public concerned that Council members have been making unprofessional comments about him in emails or a Council employee looking for that ‘smoking gun’ email to support her constructive dismissal claim.
Most organisations are anxious to ensure that they disclose everything that the requester is entitled to. However, there are a number of exemptions from disclosure and so it is often possible to lawfully withhold information which could be damaging to the local authority if disclosed.
Furthermore, disclosing too much can also result in regulatory action. The Information Commissioner’s Office (ICO, the data protection regulator) recently fined a GP surgery in Hertfordshire £40,000 for disclosing too much information when responding to a SAR. The issues faced by this particular GP surgery highlight similarities with what local authorities have to contend with when dealing with SARs.
The surgery, under pressure from the estranged partner of a female patient, released information which should have been withheld. The 62 page bundle that was released included the woman’s contact details and information about an older child that the estranged partner was not blood related to. The bundle also included correspondence with social services and child protection reports. In this case, there had been explicit requests from the patient to take particular care to protect her details.
The ICO did not just hold one individual responsible, but identified the lack of proper procedure, guidance and training within the surgery as the real cause.
The ICO explained that the fine would have been greater but for the fact that the partners were personally liable to pay the fine (ie. on the basis that the surgery is a partnership). It would be likely that other organisations (such as companies, charities and public bodies) would have been issued with a much larger fine in the circumstances. Especially as the ICO has the power to fine up to £500,000.
This case demonstrates that, disclosing too little and local authorities could end up breaching the requester’s rights to their information, disclose too much and there is a risk of infringing the rights of third parties.
This is a particular problem for local authorities because much of the information they hold will be mixed in the sense that it will be about a number of different individuals. For example, a record of a safeguarding concern might contain personal data about a pupil, mother, father and possibly also members of staff. If the father makes a SAR for the data then the organisation will have to carefully balance the father’s right to the personal data against protecting the rights of the pupil, the mother and possibly staff as well.
In the case of the GP surgery, the ICO found that staff had not been given sufficient guidance and supervision. This demonstrates the importance of ensuring that those individuals who deal with these requests are given sufficient training on the issues. This will likely include giving those staff responsible for SARs guidance on how to strike the appropriate balance when dealing with difficult cases (such as the safeguarding example above).
Much has been written about the possible legal ramifications of Brexit but the position with regards to data protection law is particularly precarious.
This is because the new EU General Data Protection Regulation (GDPR) is due to replace the Data Protection Act in May 2018 but this might not now happen in light of the decision to leave the EU.
Nevertheless, our view is that UK organisations will be caught by the GDPR one way or another. First, the GPDR is due to come into effect before we leave the EU, so it should become law, at least for a while.
In any event, the GDPR might be here to stay as it may well be that compliance with the GDPR will be one of the conditions of the UK continuing to have access to the single market. Even if we leave the single market, then UK organisations which handle data of EU citizens must still comply with the GDPR.
In any event, it seems that regardless of our relationship with the EU post Brexit, there is an inextricable drive towards harmonisation of data protection laws and therefore the UK would be well advised to ensure that its own data protection laws offer equivalent protection to those of the EU.