Operational Risks and Penalties
We all know about the potential for huge fines from the new EU General Data Protection Regulation (GDPR) and now the UK Data Protection Act 2018. These have been grabbing headlines for over a year in the lead up to Implementation-Day of 26th May 2018.
Most headline penalties are based on the highest maximum level of fines 4% of global annual turnover or Euro 20m, whichever is highest. But there is also a standard maximum level, which is 2% of global annual turnover or Euro 10m. Yes, both are hefty penalties – as they apply to turnover, not profits.
Higher level penalties can apply to any failure relating to: the data protection Principles; rights of the individual and data transfers to third countries.
Standard maximum level penalties can apply to infringement of administrative requirements of the regulations. So, breaches of controller or processor obligations, for example.
The size of the penalty will depend on a number of factors: the behaviour of the organisation; what steps have been taken to be compliant; how this can be demonstrated to the ICO and whether the organisational culture takes data protection seriously.
Data breach penalties
So, let’s look at some recent data breach penalties:
Heathrow Airport data breach loss of a USB stick in Oct 2017 – penalty of £120k was levied under the previous Data Protection Act 1998. The investigation by the ICO found:
- only 2% of the 6,500 strong workforce had been trained in Data Protection
- there was widespread use of removable media (eg USB sticks, CDs) which contravened the company’s guidance
- ineffective controls were in place to prevent personal data from being downloaded onto unauthorised or unencrypted (removable) media
Bayswater Medical Centre – left sensitive data in an empty building in July 2015 – penalty of £35k levied under the previous Data Protection Act 1998. The investigation by the ICO found:
The data was left from July 2015 – February 2017 during which time access to the building was granted to other organisations. Emails to the medical centre about the unsecured data had not been actioned.
- Examples of how poorly the data was secured in the empty building:
- Patient identifiable data was lying on a desk and in a bin in one of the consultation rooms
- Medical records stored in 2 unlocked cabinets with the keys left in the locks
- Boxes of prescribed medication containing patient identifiable information left throughout the premises
The ICO found that the Centre had:
- Failed to adhere to its own policies regarding security of medical records, patient confidentiality and confidential waste disposal
- Failed to take adequate physical measures to secure the building
- Failed to take any or any sufficient measures to secure the physical security of patient identifiable data in the building
Former hospital worker prosecuted for inappropriately accessing patient records in March 16 – January 17
- She inappropriately accessed the records of 12 patients outside of her role as receptionist/general
- She was prosecuted for unlawfully accessing personal data and unlawfully disclosing personal data under the Data Protection Act 1998 and additionally fined £230
What does this mean for your practice or organisation?
Well, a number of risk reduction steps should be taken: staff training in data protection; data handling guidelines; security procedures – physical and electronic; encryption of removable devices; restriction of data downloads; understanding your role – Controller/Processor; Data breach procedures; being able to demonstrate compliance with data protection regulations; building a culture of taking data protection seriously. There’s more. See our checklist!
Today’s fact. The ICO quarterly statistics on reported data security incidents found that in Q4 2017, four of the five leading causes (cases where the ICO took action) involved human errors and process (control) failures.
=> Employee training and data handling guidelines are ‘must haves’ for organisations processing Sensitive (ie Medical) Data.
See you next week!
Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited