When things go wrong: information governance breaches and the role of the ICO David Evans, Senior Policy Officer
Where it did go wrong NHS Surrey 200,000 MPN June 2013 The events leading up to the MPN - the actions of the data controller - what the data processor said & what the data processor did The consequences - individual - corporate
The data controller PCT - budget of + 1.7bn Contacted by an IT Asset Disposal company Provided with certification Took them on trial with some supervision but not of the destruction process Further engaged them for hard drive destruction despite existing arrangement with approved contractor
The data processor Service free of charge Claimed other high profile customers Provided Environment Agency waste management and authorised treatment facility license Said destruction would be by industrial guillotine Collected 1570 PCs with HDs March 2010 May 2012 Provided certification saying hard drives had been wiped/destroyed/recycled
What happened Member of the public purchased PC with HD from an internet auction site Found sensitive personal data records of 900 adults and 2,000 children More sold PCs came to light Checked PC & HD serial numbers with destruction certificates and found more sensitive personal data
What the ICO found Over 1570 PCs with HDs offered for sale DC did not choose a DP that provided sufficient guarantees about the security of the process Lead IG individual NOT involved No written contract between DC and DP No risk assessment nor individual certificates of destruction No monitoring of the DP s processes Failure to take appropriate organisational measures likely to cause individuals substantial distress.
What the ICO concluded Large amount of patient and staff data on PCs Large project over 1500 PCs over 2 years required highest security level DC knew or should have known and failed to act Vague destruction certificates wiped, destroyed/recycled were an early warning Obvious that tighter controls were appropriate risk assessment, monitoring the destruction, individual PC destruction certificates
Reporting to the ICO The type of information and number of records The circumstances of the loss / release / corruption Action taken to minimise / mitigate effect on individuals involved including whether they have been informed Details of how the breach is being investigated Whether any other regulatory body has been informed and their response Remedial action taken to prevent future occurrence Any other information you feel may assist us in making an assessment
The role of the Information Commissioner It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act to promote the observance of the requirements of this Act by data controllers. S 51 (1) DPA It shall be the duty of the Commissioner to promote the following of good practice by public authorities and, in particular, so to perform his functions under this Act as to promote observance of a) the requirements of this Act, and b) the provisions of the codes of practice under sections 45 and 46. S 47 (1) FOIA
Complying with the Data Protection Act the Principles Processing needs to be fair and lawful Schedule 2 and Schedule 3 conditions Purposes Adequate, relevant and not excessive Accurate and kept up to date Kept for no longer than necessary Observe the rights of individuals Keep secure Keep the data within the EEA or ensure an adequate level of protection
How the ICO can help - Codes of Practice CCTV Code of Practice (2008) Assessment Notices Code of Practice (2010) Data Sharing Code of Practice (2011) Employment Code of Practice (revised 2011) Personal Information Code of Practice (2010) Privacy Notices Code of Practice (2010) Anonymisation Code of Practice (2012)
How the ICO can help - Guidance The Guide to Data Protection Guide to ICO data protection audits Identifying data controllers and data processors Training checklist for small and medium size organisations Monetary penalties statutory guidance Subject access to health records by members of the public Privacy by design - Privacy impact assessments - Privacy enhancing technologies Bring your own device (BYOD) guidance Cloud computing IT asset disposal
IT asset disposal
IG Review comment The ICO told the review panel that no civil monetary penalties had been served for a breach of the Data Protection Act due to data sharing which had been appropriately shared and which had a legitimate data sharing agreement.
and another one The Review Panel concludes that individuals should not be discouraged from sharing simply through fear of doing this incorrectly. With the help of the ICO s data sharing code, and tools such a privacy impact assessments, data sharing can be achieved, where appropriate, in a secure and proper way.
Contact us Helpline - 0303 123 1113 or 01625 545745 Textphone and translation service - 01625 545860 Website - http://www.ico.org.uk/ and websitefeedback@ico.org.uk Advice about the law - casework@ico.org.uk Notification queries - notification@ico.org.uk
Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on /iconews @iconews