Peter A Clarke

The UK Information Commissioner has reprimanded the South Tees Hospitals NHS Foundation Trust for a serious data breach. The breach involved providing sensitive information to an unauthorised family member. The nature of the information is not specified but it involved sending a letter relating to an upcoming appointment which found its way into the hands of another person. 

The ICO’s release provides:

Read the rest of this entry »

A very common form of data breach by government agencies is for an officer, usually mid ranked or lower, to attach a list of names to an email, advertently or inadvertently, and then send the email to the wrong recipient or sending the wrong attachment to the intended recipient.  Another variation I see quite commonly is someone sending an email to a large number of recipients as part of a “Reply All” when the intention was to respond to only one person.  Many of the “Alls” should not have seen the document.   

Before Christmas the UK Information Commissioner fined the Ministry of Defence for releasing via email the names of 265 Afghans seeking relocation to the UK in the wake of the Taliban takeover. Here the email was sent to a distribution list of Afghan nationals releasing personal information of 245 people. The ICO statement provides:

• • Details of 265 people compromised in email data breaches weeks after Taliban took control of Afghanistan in 2021
  • Egregious breach “let down those to whom our country owes so much” – UK Information Commissioner
  • Email error could have resulted in a threat to life

The Information Commissioner’s Office (ICO) has fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.

On 20 September 2021, the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The original email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP), which is responsible for assisting the relocation of Afghan citizens who worked for or with the UK Government in Afghanistan. The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life.

Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients. Such procedure provides a double check whereby an email instigated by one member of staff is cross checked by another. Read the rest of this entry »

Government departments and agencies are notorious for sending without thinking and causing a privacy breach. Often times it is a list of individuals. The UK Information Commissioner in Charnwood Borough Council disclosed the new address of a domestic abuse victim. To her ex partner! It arose from an administrative bungle, with a letter being sent to the previous address of the victim, which she shared with her ex and at which he still resided. The ex read the letter. The UK Information Commissioner reprimanded the Council for this breach.

The ICO’s media release provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to Charnwood Borough Council after it disclosed the new address of a domestic abuse victim to her ex-partner.

The ICO has called on other organisations to learn lessons from the incident to ensure they are not at risk of making the same mistake.

They should make sure:

• • Alerts are put on files if staff need to be especially vigilant when someone is a vulnerable service user
  • A proper process is in place for address changes
  • Data protection training is carried out, including refresher training.

In this case, the council’s process for updating addresses was not clear. A letter detailing the new address of the victim was sent to the previous address she shared with her ex-partner. The letter was later confirmed to have been opened and read by the ex-partner. Read the rest of this entry »

The UK Information Commissioner has released a media release regarding the successful prosecution of a secretary of the National Health Service for illegally accessing medial records of 150 people without authorisation. This ties in with my recent post of a pharmacist being terminated for accessing personal information. It is a fraught issue in the health industry.There is a chronic problem.  One of the many in the health industry when when it comes to privacy. 

The ICO’s media release provides:

A former NHS employee has been found guilty and fined for illegally accessing the medical records of over 150 people.

Loretta Alborghetti, from Redditch, worked as a medical secretary within the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records.

In June 2019, a complaint was raised by a patient who was concerned that their medical records had been accessed by an employee.
An investigation revealed that Ms Alborghetti had accessed this individual’s records 33 times between March 2019 and June 2019, without consent or a business need to do so. Read the rest of this entry »

The privacy concerns regarding the use of AI have always been present. As usual, they have been pushed into the background as the potential and use of AI has dominated the debate. That does not mean that AI developers and users are exempt under the law. As Snap has discovered in the United Kingdom. The UK Information Commissioner has issued a preliminary enforcement notice against Snap regarding its failure to properly assess privacy risks when using its generative AI chatbot “My AI”. The UK Information Commissioner found that Snap’s risk assessment was defective, particularly as it related to children.

The media release provides:

• • Snap issued with preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’
  • Investigation provisionally finds Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17.

The Information Commissioner’s Office (ICO) has issued Snap, Inc and Snap Group Limited (Snap) with a preliminary enforcement notice over potential failure to properly assess the privacy risks posed by Snap’s generative AI chatbot ‘My AI’.

The preliminary notice sets out the steps which the Commissioner may require, subject to Snap’s representations on the preliminary notice. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. This means not offering the ‘My AI’ product to UK users pending Snap carrying out an adequate risk assessment. Read the rest of this entry »

In keeping with the times and the speed of the UK Information Commissioner has commenced the guidance development process regarding the use of biometric data. The draft guidance is found here.

The guidance details how data protection law will apply in the use of biometric data in biometric recognition systems. To that end it is aimed at organizations that use or are considering using biometric recognition systems.

• the definition of biometric data and special category biometric data;
• how biometric data is used in biometric recognition systems; and
• the legal data protection requirements when using biometric data including when a Data Protection Impact Assessment (DPIA) is required.

Helpfully the guidance Read the rest of this entry »

The Information Commissioner’s Office (the “ICO”) has issued the Ministry of Justice a formal reprimand after confidential waste documents were left in an unsecured area. The focus of recent reporting about data breaches has been on the large scale hacks of databases.  However data breaches involving documents left n public places or sent to parties not entitled to them can be as equally damaging.  In this reported data breach (at an unnamed prison facility) the damage is serious as it revealed personal information about prison staff and inmates. 

The press release provides:

The ICO has issued a formal reprimand to the Ministry of Justice (MoJ) after confidential waste documents were left in an unsecured prison holding area.

Prisoners and staff had access to the 14 bags of confidential documents, which included medical and security vetting details, for a period of 18 days.

During this time staff challenged prisoners who were openly reading the documents, but did nothing proactive to ensure the personal information was secured. At least 44 people had access to the information, which had remained on site as a contracted shredder waste removal company had not collected as scheduled.

The ICO investigation uncovered a lack of robust policies at the prison including:

• • no pre-agreed areas for staff to leave confidential waste in a secure place;
  • staff being unaware of the need to shred information or the risks of allowing prisoners access to non-shredded confidential documents;
  • inaccurate records of the number of staff who had completed data protection training; and
  • a general lack of staff understanding of the risks to personal data and the need to report data breaches.

The reprimand details a number of required or recommended actions including:

• • a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up to date with legislation; and
  • the creation of a separate data breach reporting policy for staff.

The MoJ is also required to provide the ICO with a progress report by the end of October 2023.

The reprimand relevantly Read the rest of this entry »

In Australia under Part IIIC of the Privacy Act 1988 organisations covered by the Privacy Act and Commonwealth Government agencies are required to notify of a data breach in certain circumstances, what is known as an eligible data breach.  It is effectively a self assessment though there are consequences if there is no notification when there should have been one.  It is regime that has been justifiably criticised in the wake of the Optus and Medibank data breaches.  The recent amendments to the regime improve rather than fix its operation.

It is an open secret that there is significant under reporting of data breaches in the United States, United Kingdom and Australia.

In UK Companies Fear Reporting Cyber Incidents, Parliament Told Data Breach today reports that there may be a deep reluctance to report breaches to the UK Information Commissioner.  There is mandatory data breach notification in the United Kingdom and affected entities are supposed to report within 72 hours of becoming aware of the breach.  This reluctance to report can and often does backfire as the story Brooklyn Hospitals Decried for Silence on Cyber Incident.  In that case Brooklyn Hospitals were hit with a ransomware attack on 19 November which necessitated transferring patients to other hospitals. The lack of explanation caused annoyance, at minimum, for other hospitals as well as the patients affected.  This poor practice results in even closer scrutiny by regulators.

The reluctance of UK entities to report a data breach because of additional scrutiny from the Information Commissioner remains poor practice.  It is almost trite to say that organisations that suffer data breaches almost invariably had privacy and data security as a low priority which translated into inadequate training and data handling practices.  When regulators respond to a notification they often find a litany of other issues.  Sometimes those are the issues that cause the organisations the greater difficulty. A common problem is data collection.  Many organisations hold onto personal information long after they have any need for it. Names of long departed or deceased customers/patients, details of people who have unsubscribed to a service and solicited information are commonly held .  Because the cost of storage is relatively inexpensive and data held digitally do not absorb physical space it is not inconvenient to hold that data for whatever reason.

As Medlab discovered once Read the rest of this entry »

The Information Commissioner’s Office (“ICO”) published its long awaited and very welcome guidance on the use of privacy enhancing technologies (“PETs”).  Properly used PETs are an invaluable part of proper data protection.  The media release provides:

The Information Commissioner’s Office (ICO) has published draft guidance on privacy-enhancing technologies (PETs) to help organisations unlock the potential of data by putting a data protection by design approach into practice. 

PETs are technologies that can help organisations share and use people’s data responsibly, lawfully, and securely, including by minimising the amount of data used and by encrypting or anonymising personal information. They are already used by financial organisations when investigating money laundering, for example, and by the healthcare sector to provide better health outcomes and services to the public. 

The draft PETs guidance explains the benefits and different types of PETs currently available, as well as how they can help organisations comply with data protection law. It is part of the ICO’s draft guidance on anonymisation and pseudonymisation, and the ICO is seeking feedback to help refine and improve the final guidance. 

By enabling organisations to share and collaboratively analyse sensitive data in a privacy-preserving manner, PETs open up unprecedented opportunities to harness the power of data through innovative and trustworthy applications. The UK and US governments have launched a set of prize challenges to unleash the potential of PETs to tackle combat global societal challenges, supported by the ICO.

John Edwards, UK Information Commissioner, said:  

“Although the use of PETs is in its early stages, it can unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights. In the UK, one example is the NHS building a system for linking patient data across different organisational domains. 

“Today’s draft guidance is part of my office’s strategy for the next three years, where we will be supporting the responsible use and sharing of personal information to drive innovation and economic growth. PETs have the potential to do that, so we look forward to hearing from industry and other stakeholders on how our guidance can help them achieve this.”  

The PETs draft guidance has been published ahead of the 2022 roundtable of G7 data protection and privacy authorities taking place in Bonn, Germany on 7-8 September, where the ICO will present its work on PETs to its G7 counterparts and encourage international agreement for the support of responsible and innovative use of PETs.

As part of this, the ICO will call for the development of industry-led governance, such as codes of conduct and certification schemes, to help organisations use PETs responsibly and to help PETs developers and providers to build the technology with data protection and privacy at the forefront. 

Mr Edwards said:

“It’s not just regulators that need to take action – we need the industry to step up, too. We want organisations to come to us with codes of conduct and certification schemes, for example, to show their commitment to building services or products that are designed in a privacy-friendly way and that protect people’s data.”

At 40 pages the guidance is very comprehensive.

Some key issues that should be considered are:

• the definition of a PET is:

Read the rest of this entry »

A data breach is not confined to a cyber attack resulting in theft of personal information or the insertion of ransomware.  A data breach includes loss of paper documents in a public place or documents stored on a mobile device or memory stick.

The Information Commissioner issued a  formal reprimand to the Home Office, after sensitive documents were found at a public London venue in September 2021. It involved 4 documents in an envelope.

As is commonly the way of it, the documents were handed to police in September 2021.  The documents included two Extremism Analysis Unit Home Office reports and a Counter Terrorism Policing report. The reports contained personal data, including that of Metropolitan Police staff.

As often happens, the initial data breach is usually only the start of the organisation’s trouble.  The regulator found the Home Office’s processes lacking.

Not surprisingly the ICO found that the Home Office had failed to ensure an appropriate level of security of personal data, including where documents were classified as ‘Official Sensitive’ did not have a specific sign-out process for the removal of documents from the premises.

The reprimand relevantly Read the rest of this entry »