When Data Protection Really Is a Matter of Life and Death
When people find out I periodically review the judgements the Information Commissioner’s Office (ICO) has made on recent data protection cases, they look at me with a mixture of bewilderment and pity. But there’s a good reason I do this.
The ICO and Its Judgements
The ICO are the supervisory authority for data compliance in the UK. If someone complains about your handling of their personal data, it’s the ICO they complain to. That means it’s the ICO that will investigate the matter and, quite possibly, come and audit your data protection framework.
There’s two main benefits to keeping abreast of the cases, and their outcomes.
1. The ICO report (known as a Penalty Notice) always pinpoints where the breakdown occurred in the defendant’s data protection processes. You can then ask yourself, could the same situation arise in your business or, worse, does it already exist? Do you process data in the same way, and are you unwittingly exposing yourself to the risk of non-compliance, complaints, and a reprimand?
2. Because the Penalty Notice outlines the reasoning behind the judgment made by the ICO, you gain some insight into how the ICO makes its decisions, and what it investigates and considers along the way. If something is mentioned that isn’t currently addressed by your data protection governance, you need to consider whether it’s something that applies to your business, and whether you should take steps to adopt the necessary protections.
We can all learn from our mistakes, but it’s less painful to learn from the mistakes of others. The fewer surprises you face in running your business, the better. And speaking of surprises, it’s often surprising which organisations have found themselves in the ICO’s crosshairs.
We’ll look at judgments made against two well-known organisations: the Ministry of Defence (MoD) and the Police Service of Northern Ireland (PSNI).
Ministry of Defence
In December 2023, the ICO reported on their investigation into incidents that happened in August and September, 2021. The Penalty Notice described the incidents and the reasoning behind the ICO’s decision to issue a fine of £350,000.
Personnel in the MoD sent several emails to multiple recipients. Instead of putting the recipients’ email addresses in the “BCC” (blind carbon copy) field, they mistakenly put them in the “To” field. Anyone receiving such an email could see all the other addressees.
The infringement itself sounds relatively minor, and £350,000 seems a bit on the steep side, to say the least. As usual, the devil is in the detail. You always have to consider the impact, or potential impact, to the data subjects.
In this case, the emails were sent by the Afghan Relocations and Assistance Policy (ARAP) team, and some 265 data subjects were affected. The data subjects were individuals identified by ARAP as “high risk and high priority” British and Afghan nationals who were being relocated to the UK, following the US announcement that it was withdrawing from Afghanistan. These were individuals who were still in Afghanistan, after the last military flight left Kabul on August 28, 2021.
Clearly, if such an email fell into the wrong hands, the potential impact to the data subjects included imprisonment or death.
The risk was so high, the ICO originally considered a penalty of £1,000,000, but took into account the “urgent and pressurised circumstances of the evacuation from Afghanistan” and reduced this to £700,000. They then reflected on their own policy in relation to enforcement against public sector bodies, and made a further 50% reduction, arriving at the final penalty of £350,000.
The UK GDPR article The MoD infringed is 5.1.(f), which states: (personal data shall be) … processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Police Service Northern Ireland
Equally grave, was the inadvertent breach on August 8, 2023 by PSNI personnel who were responding to a Freedom of Information request, through a public-facing web portal. They had downloaded data from an internal system, imported it into Excel, and manipulated the data into the requested tables.
However, they had not deleted the tab in the Excel workbook that contained the raw data. That tab contained the personal information of 9,483 serving officers and staff of the PSNI. The PSNI are confidant that the information is now in the hands of “dissident Republicans”.
The severity of this breach cannot be over-stated.
The UK GDPR articles infringed by this breach are 5.1.(f) as in the MoD example above, and 32(1) which refers to the “Security of Processing”.
The financial penalty has been set at £750,000.
Not All Breaches Are Matters of Life and Death
These two life-threatening breaches were the result of simple human error. You can minimise this type of human error by implementing straightforward, clear policies and procedures. They need to be introduced sensitively, with training for your staff so that they understand the procedures themselves, and the need for, and the benefits of, the procedures.
And finally, concerning matters of life and death, a French company that provides clairvoyance services online and over the telephone, was fined €150,000 by their supervisory authority for:
· Failing to minimise the personal data collected and used (Article 5.1.c)
· Not having a legal basis for the use of banking data (Article 6)
· Not obtaining prior consent for collecting special category of data (Article 9)
· Not ensuring data security (Article 32)
· Not notifying their Supervisory Authority of breaches (Article 33)
· Not complying with requirements for website cookies (Article 82, DPA)
It’s not a great advert for their services if they didn’t see that coming.
A non-compliance or infringement by your staff might not place people in life or death situations, but the financial penalties and reputational damage to your business will be still be impactful and unwelcome. You don’t need to be clairvoyant to predict that.
Pro-Networks can assist you with creating, updating, and maintaining your data protection framework, and all the governance documentation that needs to go accompany it.