Peter A Clarke

Government departments and agencies are notorious for sending without thinking and causing a privacy breach. Often times it is a list of individuals. The UK Information Commissioner in Charnwood Borough Council disclosed the new address of a domestic abuse victim. To her ex partner! It arose from an administrative bungle, with a letter being sent to the previous address of the victim, which she shared with her ex and at which he still resided. The ex read the letter. The UK Information Commissioner reprimanded the Council for this breach.

The ICO’s media release provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to Charnwood Borough Council after it disclosed the new address of a domestic abuse victim to her ex-partner.

The ICO has called on other organisations to learn lessons from the incident to ensure they are not at risk of making the same mistake.

They should make sure:

• • Alerts are put on files if staff need to be especially vigilant when someone is a vulnerable service user
  • A proper process is in place for address changes
  • Data protection training is carried out, including refresher training.

In this case, the council’s process for updating addresses was not clear. A letter detailing the new address of the victim was sent to the previous address she shared with her ex-partner. The letter was later confirmed to have been opened and read by the ex-partner. Read the rest of this entry »

The UK Information Commissioner has released a media release regarding the successful prosecution of a secretary of the National Health Service for illegally accessing medial records of 150 people without authorisation. This ties in with my recent post of a pharmacist being terminated for accessing personal information. It is a fraught issue in the health industry.There is a chronic problem.  One of the many in the health industry when when it comes to privacy. 

The ICO’s media release provides:

A former NHS employee has been found guilty and fined for illegally accessing the medical records of over 150 people.

Loretta Alborghetti, from Redditch, worked as a medical secretary within the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records.

In June 2019, a complaint was raised by a patient who was concerned that their medical records had been accessed by an employee.
An investigation revealed that Ms Alborghetti had accessed this individual’s records 33 times between March 2019 and June 2019, without consent or a business need to do so. Read the rest of this entry »

The privacy concerns regarding the use of AI have always been present. As usual, they have been pushed into the background as the potential and use of AI has dominated the debate. That does not mean that AI developers and users are exempt under the law. As Snap has discovered in the United Kingdom. The UK Information Commissioner has issued a preliminary enforcement notice against Snap regarding its failure to properly assess privacy risks when using its generative AI chatbot “My AI”. The UK Information Commissioner found that Snap’s risk assessment was defective, particularly as it related to children.

The media release provides:

• • Snap issued with preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’
  • Investigation provisionally finds Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17.

The Information Commissioner’s Office (ICO) has issued Snap, Inc and Snap Group Limited (Snap) with a preliminary enforcement notice over potential failure to properly assess the privacy risks posed by Snap’s generative AI chatbot ‘My AI’.

The preliminary notice sets out the steps which the Commissioner may require, subject to Snap’s representations on the preliminary notice. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. This means not offering the ‘My AI’ product to UK users pending Snap carrying out an adequate risk assessment. Read the rest of this entry »

In keeping with the times and the speed of the UK Information Commissioner has commenced the guidance development process regarding the use of biometric data. The draft guidance is found here.

The guidance details how data protection law will apply in the use of biometric data in biometric recognition systems. To that end it is aimed at organizations that use or are considering using biometric recognition systems.

• the definition of biometric data and special category biometric data;
• how biometric data is used in biometric recognition systems; and
• the legal data protection requirements when using biometric data including when a Data Protection Impact Assessment (DPIA) is required.

Helpfully the guidance Read the rest of this entry »

The Information Commissioner’s Office (the “ICO”) has issued the Ministry of Justice a formal reprimand after confidential waste documents were left in an unsecured area. The focus of recent reporting about data breaches has been on the large scale hacks of databases.  However data breaches involving documents left n public places or sent to parties not entitled to them can be as equally damaging.  In this reported data breach (at an unnamed prison facility) the damage is serious as it revealed personal information about prison staff and inmates. 

The press release provides:

The ICO has issued a formal reprimand to the Ministry of Justice (MoJ) after confidential waste documents were left in an unsecured prison holding area.

Prisoners and staff had access to the 14 bags of confidential documents, which included medical and security vetting details, for a period of 18 days.

During this time staff challenged prisoners who were openly reading the documents, but did nothing proactive to ensure the personal information was secured. At least 44 people had access to the information, which had remained on site as a contracted shredder waste removal company had not collected as scheduled.

The ICO investigation uncovered a lack of robust policies at the prison including:

• • no pre-agreed areas for staff to leave confidential waste in a secure place;
  • staff being unaware of the need to shred information or the risks of allowing prisoners access to non-shredded confidential documents;
  • inaccurate records of the number of staff who had completed data protection training; and
  • a general lack of staff understanding of the risks to personal data and the need to report data breaches.

The reprimand details a number of required or recommended actions including:

• • a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up to date with legislation; and
  • the creation of a separate data breach reporting policy for staff.

The MoJ is also required to provide the ICO with a progress report by the end of October 2023.

The reprimand relevantly Read the rest of this entry »

In Australia under Part IIIC of the Privacy Act 1988 organisations covered by the Privacy Act and Commonwealth Government agencies are required to notify of a data breach in certain circumstances, what is known as an eligible data breach.  It is effectively a self assessment though there are consequences if there is no notification when there should have been one.  It is regime that has been justifiably criticised in the wake of the Optus and Medibank data breaches.  The recent amendments to the regime improve rather than fix its operation.

It is an open secret that there is significant under reporting of data breaches in the United States, United Kingdom and Australia.

In UK Companies Fear Reporting Cyber Incidents, Parliament Told Data Breach today reports that there may be a deep reluctance to report breaches to the UK Information Commissioner.  There is mandatory data breach notification in the United Kingdom and affected entities are supposed to report within 72 hours of becoming aware of the breach.  This reluctance to report can and often does backfire as the story Brooklyn Hospitals Decried for Silence on Cyber Incident.  In that case Brooklyn Hospitals were hit with a ransomware attack on 19 November which necessitated transferring patients to other hospitals. The lack of explanation caused annoyance, at minimum, for other hospitals as well as the patients affected.  This poor practice results in even closer scrutiny by regulators.

The reluctance of UK entities to report a data breach because of additional scrutiny from the Information Commissioner remains poor practice.  It is almost trite to say that organisations that suffer data breaches almost invariably had privacy and data security as a low priority which translated into inadequate training and data handling practices.  When regulators respond to a notification they often find a litany of other issues.  Sometimes those are the issues that cause the organisations the greater difficulty. A common problem is data collection.  Many organisations hold onto personal information long after they have any need for it. Names of long departed or deceased customers/patients, details of people who have unsubscribed to a service and solicited information are commonly held .  Because the cost of storage is relatively inexpensive and data held digitally do not absorb physical space it is not inconvenient to hold that data for whatever reason.

As Medlab discovered once Read the rest of this entry »

The Information Commissioner’s Office (“ICO”) published its long awaited and very welcome guidance on the use of privacy enhancing technologies (“PETs”).  Properly used PETs are an invaluable part of proper data protection.  The media release provides:

The Information Commissioner’s Office (ICO) has published draft guidance on privacy-enhancing technologies (PETs) to help organisations unlock the potential of data by putting a data protection by design approach into practice. 

PETs are technologies that can help organisations share and use people’s data responsibly, lawfully, and securely, including by minimising the amount of data used and by encrypting or anonymising personal information. They are already used by financial organisations when investigating money laundering, for example, and by the healthcare sector to provide better health outcomes and services to the public. 

The draft PETs guidance explains the benefits and different types of PETs currently available, as well as how they can help organisations comply with data protection law. It is part of the ICO’s draft guidance on anonymisation and pseudonymisation, and the ICO is seeking feedback to help refine and improve the final guidance. 

By enabling organisations to share and collaboratively analyse sensitive data in a privacy-preserving manner, PETs open up unprecedented opportunities to harness the power of data through innovative and trustworthy applications. The UK and US governments have launched a set of prize challenges to unleash the potential of PETs to tackle combat global societal challenges, supported by the ICO.

John Edwards, UK Information Commissioner, said:  

“Although the use of PETs is in its early stages, it can unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights. In the UK, one example is the NHS building a system for linking patient data across different organisational domains. 

“Today’s draft guidance is part of my office’s strategy for the next three years, where we will be supporting the responsible use and sharing of personal information to drive innovation and economic growth. PETs have the potential to do that, so we look forward to hearing from industry and other stakeholders on how our guidance can help them achieve this.”  

The PETs draft guidance has been published ahead of the 2022 roundtable of G7 data protection and privacy authorities taking place in Bonn, Germany on 7-8 September, where the ICO will present its work on PETs to its G7 counterparts and encourage international agreement for the support of responsible and innovative use of PETs.

As part of this, the ICO will call for the development of industry-led governance, such as codes of conduct and certification schemes, to help organisations use PETs responsibly and to help PETs developers and providers to build the technology with data protection and privacy at the forefront. 

Mr Edwards said:

“It’s not just regulators that need to take action – we need the industry to step up, too. We want organisations to come to us with codes of conduct and certification schemes, for example, to show their commitment to building services or products that are designed in a privacy-friendly way and that protect people’s data.”

At 40 pages the guidance is very comprehensive.

Some key issues that should be considered are:

• the definition of a PET is:

Read the rest of this entry »

A data breach is not confined to a cyber attack resulting in theft of personal information or the insertion of ransomware.  A data breach includes loss of paper documents in a public place or documents stored on a mobile device or memory stick.

The Information Commissioner issued a  formal reprimand to the Home Office, after sensitive documents were found at a public London venue in September 2021. It involved 4 documents in an envelope.

As is commonly the way of it, the documents were handed to police in September 2021.  The documents included two Extremism Analysis Unit Home Office reports and a Counter Terrorism Policing report. The reports contained personal data, including that of Metropolitan Police staff.

As often happens, the initial data breach is usually only the start of the organisation’s trouble.  The regulator found the Home Office’s processes lacking.

Not surprisingly the ICO found that the Home Office had failed to ensure an appropriate level of security of personal data, including where documents were classified as ‘Official Sensitive’ did not have a specific sign-out process for the removal of documents from the premises.

The reprimand relevantly Read the rest of this entry »

The Federal Trade Commissioner has been taking action against companies for misusing the personal information of children.  The UK Information Commisioner’s Office has also taken action on that front, against TikTok.  It has issued a notice of intent against TikTok for failing to protection children’s privacy.  The statement Read the rest of this entry »

The UK Information Commissioner has highlighted the case of Christopher O’Brien who was prosecuted for unlawfully accessing patient records of 14 patients of the South Warwickshire NHS Foundation Trust, all of whom were known to him.  The media release provides:

and

A former health adviser has been found guilty of accessing medical records of patients without a valid legal reason.

Christopher O’Brien, 36, was working at the South Warwickshire NHS Foundation Trust when he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust.

One of the victims said the breach left them worried and anxious about Mr O’Brien having access to their health records, with another victim saying the breach put them off from going to their doctor.

Mr O’Brien pleaded guilty to unlawfully obtaining personal data in breach of section 170 of the Data Protection Act 2018 when he appeared at Coventry Magistrates’ Court on 3 August 2022. He was ordered to pay £250 compensation to 12 patients, totalling £3,000.

Stephen Eckersley, ICO Director of Investigations, said:

“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.

“Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.

“I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly.”

This sort of misbehaviour is not confined to the United Kingdom. The National Public Radio in 2015 did a piece on hospital workers snooping on celebrities medical records, including George Clooney, Kim Kardashian and Michael Jackson, to name a few.  It is a chronic problem in Australia within the health sector.  Last year the Health Care Complaints Commission prosecuted a complaint against registered nurse Ms Cody Rae Payne at the NSW Civil and Administrative Tribunal (‘the Tribunal’). Between January and August 2019  Payne accessed her own medical records as well as those of 34 other persons, including family members involved in family court legal proceedings without lawful authority. She provided information to her husband that she acquired as a result of that unauthorised access.

The hearing before the NSWCAT occurred after Payne had been criminally prosecuted for Read the rest of this entry »