Three staff investigated into Princess of Wales data breach

March 21, 2024

The Times reports that investigation into a data breach, involving the Princess of Wales’ medical records at the London Clinic has zoned in on 3 staff. And the Information Commission has received a breach report and is investigating as well. The story has been picked up by the Australian with Three hospital staff ‘tried to access Princess of Wales’s records’. Initially one person was suspected of creating a data breach.  That has expanded to three.  That is not unusual.  In cases where people seek out salacious information or photographs the desire to share seems to be difficult to resist.  That occurred when photos of Dani Laidley were inapopriately taken in a police station and then sent to other police officers.  

Data breaches involving snooping into medical records are a chronic problem in hospitals.  But they can be minimised if there are proper systems in place.  And top of the list is requiring anyone to access records to have authorisation and sign in before they can view records.  That creates a trail and may allow the system to alert IT when someone without authorisation has accessed those records or is trying to.  It is not foolproof as those determined can use other’s authorisation but even then there are ways of dealing with that.  It is no less a problem in my experience in Australia than in the UK.  Given the regulation is Read the rest of this entry »

UK Information Commissioner reprimands more police services. This time it is the Dover Harbour Board and Kent Police

March 19, 2024

Police breaching privacy is almost a cliche. The Victorian Police had a sub specialty for years in misusing the LEAP database.  In the UK the Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police for breaches of privacy.  Those breaches related to the use of the social media app, WhatsApp, and instant-messaging service, Telegram, on personal phones to share information. The personal information was being shared in the group without appropriate safeguards in place.

This is a widespread problem.  Encrypted social media messaging havw been used by politicians and officials doing government business to do communicate, and do business, away from official means of communications.  The problem with  social media messaging apps on personal devices is that it avoids the necessary oversight supervisors and managers should have.   For example while Prime Minister Malcolm Turnbull used Wickr adn Confide outside of the federal parliament’s system when communicating with colleagues and journalists. He claimed not to have used the systems to send classified government information. But, as Mandy Rice Davies said after hearing Lord Astor had denied having sex with her “He would, wouldn’t he.” 

Regarding Dover Board the reprimand relates to the use of  WhatsApp and then Telegram.  The reprimand relevantly Read the rest of this entry »

UK Information Commissioner reprimands West Midlands Police for data protection breach

March 5, 2024

Managing data when organisations are flooded with data is an ongoing challenge which can easily result in a data breach when that management fails. Misfiling documents in the analog era was common enough however the chance of that resulting in a privacy breach was far rarer than today with . The Information Commissioner has reprimanded the West Midlands Police for a data protection failure.  The data breach resulted in one person with the same name receiving documentation intended for another.  Given that one was a suspect in crimes and the other a victim of domestic violence this error was significant.  As is usually the case, upon investigation the Commissioner found significant flaws in the way the WMP handled data and trained its officers.  This is a typical problem.  Data breaches often occur because there are inadequate processes and not much in the way of training.

The media statement provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to West Midlands Police (WMP) after the force repeatedly mixed up two people’s personal information.

On numerous occasions throughout 2020, 2021 and 2022, WMP incorrectly linked and merged the records of two people with the same name and date of birth. Both people had been victims of crime, and one was a suspect, meaning WMP didn’t make a clear distinction between the personal information of victims and suspects of crime, a breach of the Data Protection Act 2018.

This mix-up led to inaccurate personal information being processed and resulted in a catalogue of errors, including officers attending the wrong address when attempting to find a person regarding serious safeguarding concerns. Officers also incorrectly visited the school of a wrong person’s child. Read the rest of this entry »

The UK Information Commissioner reprimands South Tees Hospitals for a serious harmful data breach.

January 28, 2024

The UK Information Commissioner has reprimanded the South Tees Hospitals NHS Foundation Trust for a serious data breach. The breach involved providing sensitive information to an unauthorised family member. The nature of the information is not specified but it involved sending a letter relating to an upcoming appointment which found its way into the hands of another person. 

The ICO’s release provides:

The Information Commissioner’s Office (ICO) has today announced it has reprimanded South Tees Hospitals NHS Foundation Trust for a data breach which resulted in a disclosure containing sensitive information to a unauthorised family member.

In November 2022, a Trust employee sent a standard letter to inform the father of a patient of an upcoming appointment, but the appointment letter was sent to the wrong address.

Whilst the subsequent investigation by the ICO confirmed that the disclosure was the result of human error, it also found no evidence that the Trust fully and appropriately prepared staff for their role in dealing with correspondence that was particularly sensitive.

Joanne Stones, Group Manager at the Information Commissioner’s Office, said:

“This breach resulted in extremely sensitive information being passed to the wrong person. This was a serious, harmful incident that has understandably caused upset to the individuals involved and such an error must never be repeated.

“This breach highlights how even seemingly minor errors can have very serious consequences. To other organisations handling similarly sensitive data, this shows just how important proper training and procedures are in preventing mistakes.”

Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately disclosed to others.

South Tees Hospitals NHS Foundation Trust should now implement new standard operating procedures and provide further staff training to ensure data is protected and reduce possibility of future disclosures in error.

Read the rest of this entry »

UK Information Commissioners’ Office fines Ministry of Defence for revealing the names fo 265 people seeking relocation to the UK from Afghanistan after the Taliban took over.

January 1, 2024

A very common form of data breach by government agencies is for an officer, usually mid ranked or lower, to attach a list of names to an email, advertently or inadvertently, and then send the email to the wrong recipient or sending the wrong attachment to the intended recipient.  Another variation I see quite commonly is someone sending an email to a large number of recipients as part of a “Reply All” when the intention was to respond to only one person.  Many of the “Alls” should not have seen the document.   

Before Christmas the UK Information Commissioner fined the Ministry of Defence for releasing via email the names of 265 Afghans seeking relocation to the UK in the wake of the Taliban takeover. Here the email was sent to a distribution list of Afghan nationals releasing personal information of 245 people. The ICO statement provides:

    • Details of 265 people compromised in email data breaches weeks after Taliban took control of Afghanistan in 2021
    • Egregious breach “let down those to whom our country owes so much” – UK Information Commissioner
    • Email error could have resulted in a threat to life

The Information Commissioner’s Office (ICO) has fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.

On 20 September 2021, the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The original email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP), which is responsible for assisting the relocation of Afghan citizens who worked for or with the UK Government in Afghanistan. The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life.

Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients. Such procedure provides a double check whereby an email instigated by one member of staff is cross checked by another. Read the rest of this entry »

UK Information Commissioner reprimands Charnwood Borough Council for disclosing the new address of a domestic abuse victim to her ex partner. Meanwhile in Australia there is a serious data breach involving 11,000 records of National Disability Insurance Agency.

November 30, 2023

Government departments and agencies are notorious for sending without thinking and causing a privacy breach. Often times it is a list of individuals. The UK Information Commissioner in Charnwood Borough Council disclosed the new address of a domestic abuse victim. To her ex partner! It arose from an administrative bungle, with a letter being sent to the previous address of the victim, which she shared with her ex and at which he still resided. The ex read the letter. The UK Information Commissioner reprimanded the Council for this breach.

The ICO’s media release provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to Charnwood Borough Council after it disclosed the new address of a domestic abuse victim to her ex-partner.

The ICO has called on other organisations to learn lessons from the incident to ensure they are not at risk of making the same mistake.

They should make sure:

    • Alerts are put on files if staff need to be especially vigilant when someone is a vulnerable service user
    • A proper process is in place for address changes
    • Data protection training is carried out, including refresher training.

In this case, the council’s process for updating addresses was not clear. A letter detailing the new address of the victim was sent to the previous address she shared with her ex-partner. The letter was later confirmed to have been opened and read by the ex-partner. Read the rest of this entry »

Former NHS secretary found guilty of illegally accessing medical records

November 20, 2023

The UK Information Commissioner has released a media release regarding the successful prosecution of a secretary of the National Health Service for illegally accessing medial records of 150 people without authorisation. This ties in with my recent post of a pharmacist being terminated for accessing personal information. It is a fraught issue in the health industry.There is a chronic problem.  One of the many in the health industry when when it comes to privacy. 

The ICO’s media release provides:

A former NHS employee has been found guilty and fined for illegally accessing the medical records of over 150 people.

Loretta Alborghetti, from Redditch, worked as a medical secretary within the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records.

In June 2019, a complaint was raised by a patient who was concerned that their medical records had been accessed by an employee.
An investigation revealed that Ms Alborghetti had accessed this individual’s records 33 times between March 2019 and June 2019, without consent or a business need to do so. Read the rest of this entry »

The UK Information Commissioner issues preliminary enforcement notice against Snap for failing to properly assess the privacy risk posed by its generative AI chatbot ‘My AI’

October 19, 2023

The privacy concerns regarding the use of AI have always been present. As usual, they have been pushed into the background as the potential and use of AI has dominated the debate. That does not mean that AI developers and users are exempt under the law. As Snap has discovered in the United Kingdom. The UK Information Commissioner has issued a preliminary enforcement notice against Snap regarding its failure to properly assess privacy risks when using its generative AI chatbot “My AI”. The UK Information Commissioner found that Snap’s risk assessment was defective, particularly as it related to children.

The media release provides:

    • Snap issued with preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’
    • Investigation provisionally finds Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17.

The Information Commissioner’s Office (ICO) has issued Snap, Inc and Snap Group Limited (Snap) with a preliminary enforcement notice over potential failure to properly assess the privacy risks posed by Snap’s generative AI chatbot ‘My AI’.

The preliminary notice sets out the steps which the Commissioner may require, subject to Snap’s representations on the preliminary notice. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. This means not offering the ‘My AI’ product to UK users pending Snap carrying out an adequate risk assessment. Read the rest of this entry »

UK Information Commissioner opens consultation on development guidance on the use of biometric data

August 22, 2023

In keeping with the times and the speed of the UK Information Commissioner has commenced the guidance development process regarding the use of biometric data. The draft guidance is found here.

The guidance details how data protection law will apply in the use of biometric data in biometric recognition systems. To that end it is aimed at organizations that use or are considering using biometric recognition systems.

Of note in the draft is coverage of :
  • the definition of biometric data and special category biometric data;
  • how biometric data is used in biometric recognition systems; and
  • the legal data protection requirements when using biometric data including when a Data Protection Impact Assessment (DPIA) is required.

Helpfully the guidance Read the rest of this entry »

The UK Information Commissioner’s Office issues for old fashioned data breach…leaving confidential information in paper form in a public area. Not every data breach is cyber related

May 30, 2023

The Information Commissioner’s Office (the “ICO”) has issued the Ministry of Justice a formal reprimand after confidential waste documents were left in an unsecured area. The focus of recent reporting about data breaches has been on the large scale hacks of databases.  However data breaches involving documents left n public places or sent to parties not entitled to them can be as equally damaging.  In this reported data breach (at an unnamed prison facility) the damage is serious as it revealed personal information about prison staff and inmates. 

The press release provides:

The ICO has issued a formal reprimand to the Ministry of Justice (MoJ) after confidential waste documents were left in an unsecured prison holding area.

Prisoners and staff had access to the 14 bags of confidential documents, which included medical and security vetting details, for a period of 18 days.

During this time staff challenged prisoners who were openly reading the documents, but did nothing proactive to ensure the personal information was secured. At least 44 people had access to the information, which had remained on site as a contracted shredder waste removal company had not collected as scheduled.

The ICO investigation uncovered a lack of robust policies at the prison including:

    • no pre-agreed areas for staff to leave confidential waste in a secure place;
    • staff being unaware of the need to shred information or the risks of allowing prisoners access to non-shredded confidential documents;
    • inaccurate records of the number of staff who had completed data protection training; and
    • a general lack of staff understanding of the risks to personal data and the need to report data breaches.

The reprimand details a number of required or recommended actions including:

    • a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up to date with legislation; and
    • the creation of a separate data breach reporting policy for staff.

The MoJ is also required to provide the ICO with a progress report by the end of October 2023.

The reprimand relevantly Read the rest of this entry »

Verified by MonsterInsights