Virgin Media, and a stray email

Anyone who’s worked for a large organisation is likely to be familiar with the situation when someone mistakenly sends an email to everyone who works there. Replies – to all – start straight away: “Hi, I don’t know what this means?” “Hi, nor me” “Hi, I don’t think you meant to send this to me” “Nor me” “Hi everyone, please don’t ‘reply to all’” “Hi, you just did the same thing!!!” “Stop replying to all!” “You too!!!” “AAAAGGGHHHH!!!” etc etc, until eventually it settles down.

And then two weeks later someone comes back from leave and replies to all “Hi, I don’t know what this means”…

I imagine the frustration felt by fellow employees in those circumstances doesn’t begin to equate to that felt by some Virgin Media customers, if stories about an incident yesterday are correct. As The Register reports

The broadband biz emailed Brits using its virgin.net email service, which is provided by Google, to warn them of some forthcoming changes…But any email replies to that message were sent to everyone on the mailing list: the email address the update was sent from acted as a conduit to the full list of virgin.net customers. This not only spewed hundreds of extra missives into inboxes, it also shared the senders’ email addresses with everyone on the list

And the BBC says

Some people reported receiving hundreds of emails, including spam messages and light-hearted exchanges between other customers.

I’ve added the emphasis there, to highlight how excruciatingly annoying it must have been to be on the receiving end of hundreds of light-hearted messages like “I don’t know why you’re emailing me” “Stop replying to all!!!” “You’re doing it too LOL!!” ad nauseum.

Virgin Media have apologised, and tell customers that the issue is now resolved

A small proportion of our customers have received an email from one of our suppliers which, if they reply-all, it is sent to a wider group…We are confident that this issue has now been resolved, the problem stopped and further messages prevented.

I’ve just got a couple of observations to make. One is that “a small proportion of our customers” does not necessarily mean a small number, and while this is not quite a simple “reply to all” issue (it seems that the mailing list was wrongly configured) it clearly caused considerable disruption for those affected. And if Wikipedia is correct Virgin Media has several million customers – a “small proportion” of those could well number the 130,000-odd that some news outlets are claiming were affected. And the other observation is that as far as I can see Virgin Media don’t say whether they have informed the Information Commissioner, who will, no doubt, be wanting to ask some questions to establish whether this incident was as a result of a serious contravention of the data controller’s obligations under the Data Protection Act 1998. After all it only takes one careless individual to send a wrongly-addressed email, but it might point to information security failings if a mailing list is wrongly configured.

 

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner

Opting patients out of care.data – in breach of data protection law?

The ICO appear to think that GPs who opt patients out of care.data without informing them would be breaching the Data Protection Act.  They say it would be unfair processing

In February of this year GP Dr Gordon Gancz was threatened with termination of his contract, because he had indicated he would not allow his patients’ records to be uploaded to the national health database which as planned to be created under the care.data initiative. He was informed that if he didn’t remove information on his website, and if he went on to add “opt-out codes” to patients’ electronic records, he would be in breach of the NHS (GMS contract) Regulations 2004. Although this threatened action was later withdrawn, and care.data put on hold for six months, Dr Gancz might have been further concerned to hear that in the opinion of the Information Commissioner’s Office (ICO) he would also have been in breach of the Data Protection Act 1998 (DPA).

A few weeks ago fellow information rights blogger Tim Turner (who has given me permission to use the material) asked NHS England about the basis for Health Services Minister Dan Poulter’s statement in Parliament that

NHS England and the Health and Social Care Information Centre will work with the British Medical Association, the Royal College of General Practitioners, the Information Commissioner’s Office and with the Care Quality Commission to review and work with GP practices that have a high proportion of objections [to care.data] on a case-by-case basis

Tim wanted to know what role the ICO would play. NHS England replied saying, effectively, that they didn’t know, but they did disclose some minutes of a meeting held with the ICO in December 2013. Those minutes indicate that

The ICO had received a number of enquiries regarding bulk objections from practices. Their view was that adding objection codes would constitute processing of data in terms of the Data Protection Act.  If objection codes had been added without writing to inform their patients then the ICO’s view was that this would be unfair processing and technically a breach of the Act so action could be taken by the ICO

One must stress that this is not necessarily a complete or accurate respresentation of the ICO’s views. However, what appears to be being said here is that, if GPs took the decision to “opt out” their patients from care.data, without writing to inform them, this would be an act of “processing” according to the definition at section 1(1) of the DPA, and would not be compliant with the GPs’ obligations under the first DPA principle to process personal data fairly.

On a very strict reading of the DPA this may be technically correct – for processing of personal data to be fair data subjects must be informed of the purposes for which the data are being processed, and, strictly, adding a code which would prevent an upload (which would otherwise happen automatically) would be processing of personal data. And, of course, the “fairness” requirement is absent from the proposed care.data upload, because Parliament, in its wisdom, decided to give the NHS the legal power to override it. But “fairness” requires a broad brush, and the ICO’s interpretation here would have the distinctly odd effect of rendering unlawful a decision to maintain the status quo whereby patients’ GP data does not leave the confidential confines of their surgery. It also would have the effect of supporting NHS England’s apparent view that GPs who took such action would be liable to sanctions.

In fairness (geddit???!!) to the ICO, if a patient was opted out who wanted to be included in the care.data upload, then I agree that this would be in breach of the first principle, but it would be very easily rectified, because, as we know, it will be simple to opt-in to care.data from a previous position of “opt-out”, but the converse doesn’t apply – once your data is uploaded it is uploaded in perpetuity (see my last bullet point here).

A number of GPs (and of course, others) have expressed great concern at what care.data means for the confidential relationship between doctor and patient, which is fundamental for the delivery of health care. In light of those concerns, and in the absence of clarity about the secondary uses of patient data under care.data, would it really be “unfair” to patients if GPs didn’t allow the data to be collected? Is that (outwith DPA) fair to GPs?

Leave a comment

Filed under care.data, Confidentiality, Data Protection, data sharing, Information Commissioner, NHS

Kent Police get £100,000 penalty for poor data security

I blogged last week about “data breaches”, and the need to define and sometimes to differentiate between a breach of the Data Protection Act 1998 (DPA) and a general data security breach. Well, I’m (not at all) pleased to say that today’s news of the latest monetary penalty notice (MPN) served by the Information Commissioner’s Office (ICO) on Kent Police doesn’t need any such nuanced analysis. Here was a data security breach which was also a manifest breach of the DPA.

A police officer, by chance, discovered in some premises video tapes clearly marked as police material. He subsequently ascertained that the owner had found them, and much more besides, in the basement of a former police station which he had purchased. It is difficut to think of more sensitive information than the kind which was involved here. In part it consisted of

documents and video/audio tapes containing confidential and highly sensitive personal data about a significant number of individuals. These included files relating to threats to kill, rape, grievous bodily harm and child abuse cases; interviews with victims, witnesses/informants and suspects

Although the force had initially

taken some steps to safeguard the information by carrying out inspections of the former police station which identified that items were still in situ

the failure to have any policies in place, or to assign responsibility to anyone, meant that this was a clear and serious contravention of the seventh data protection principle (relating to data security measures) of a kind likely to cause, at least, substantial distress. I would add, although the ICO does not, that it might well have been also a serious contravention of the fifth principle (“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”). Given this, it is somewhat surprising that this case falls (admittedly at the top end) into the lowest category of cases qualifying for an MPN (the ICO’s internal guidance says that these cases will attract an amount of £40,000 to £100,000). Bearing in mind that Brighton and Sussex University Hospitals NHS Foundation Trust got an MPN of £325,000 for failing to dispose of computer hard drives properly, this current MPN seems low.

It also, once again, draws attention to the importance of good records management within police forces. I wrote only recently, in the context of the Ellison Review of policing relating to the Stephen Lawrence inquiry, about how records management is essential for the operation of the rule of law and the current case just gives even greater strength to this.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, monetary penalty notice, police, records management

A balanced view on Optic Nerve

As I’m keen always to take a balanced view of important privacy issues, and not descend into the sort of paranoid raving which always defines, say, the state as the enemy, capable of almost anything, I sometimes think I end up being a bit naive, or at least having naive moments.

So, when outgoing Chair of Ofcom Dame Colette Bowe recently gave evidence to the House of Lords Select Committee on Communications, and said about consumers that

their smart TV may well have a camera and a microphone embedded in it there in their living room. What is that smart TV doing? Do people realise that this is a two-way street?

I thought for a moment “Oh come on, don’t be so scaremongering”. Sure, we saw the stories about Smart TVs and cookies, which is certainly an important privacy issue, but the idea that someone would use your TV to spy on you…?!

And then, of course, I quickly remembered – with a feeling of nausea – that that is exactly the sort of thing that GCHQ are alleged to have done, by jumping on the unencrypted web cam streams of Yahoo users, as part of the Optic Nerve program. And each time I remember this, it makes me want to scream “THEY WERE INDISCRIMINATELY SPYING ON PEOPLE…IN THEIR HOMES, IN THEIR BEDROOMS, FOR ****’S SAKE!”

And they were doing it just because they could. Because they’d notice a way – a vulnerability – and taken advantage of it to slurp masses of intensely private data, just in case it might prove useful in the future.

The intrusion, the prurience, the violation do indeed make me feel like raving against the state and its agents who, either through direct approval, or tacit acceptance, or negligence, allowed this to happen. Although *balance alert* GCHQ do, of course, assure us that “GCHQ insists all of its activities are necessary, proportionate, and in accordance with UK law”. So that’s OK. And yes, they really did call it “proportionate”. 

I know the web cam grabbing was by no means the only such intrusion, but for me it exemplifies the “something” which went wrong, at some point, which led to this. I don’t know what that something was, or even how to fix it, and I’ve never used a web cam, so have no direct interest, but I will closely watch the progress of Simon Davies’ request for the Attorney General to refer the matter to the police.

Leave a comment

Filed under Confidentiality, Data Protection, human rights, interception, Privacy, RIPA, surveillance

Your Twitter account is worth…

SWEET F.A.

Go and learn some economics. Something’s value is determined by what people are prepared to pay for it, and no one wants to buy your twitter account. Don’t be so greedy.

1 Comment

Filed under nonsense, social media

Sale of patient data – time for an independent review?

The Sunday Times reports that a billion patient records have been sold to a marketing consultancy. Is it time for an independent review of these highly questionable data sharing practices?

In 2012, at the behest of the then Secretary of State for Health, Andrew Lansley (driver of the Health and Social Care Act 2012), Dame Fiona Caldicott chaired a review of information governance in the NHS. Her report, which focused on the issue of sharing of information, was published in April 2013. At the time a statement in it, referring to the Information Commissioner’s Office (ICO) stood out to me, and it stands out even more now, but for different reasons. It says

The ICO told the Review Panel that no civil monetary penalties have been served for a breach of the Data Protection Act due to formal data sharing between data controllers in any organisation for any purpose

At the time, I thought “Well duh” – of course the ICO is not going to take enforcement action where there has been a formal data sharing agreement, because, clearly, the parties entering into such an agreement are going to make sure they do so lawfully, and with regard to the ICO guidance on data sharing – lawful and proportionate data sharing is, er, lawful, so the ICO wouldn’t be able to take action.

But now, with the frequent and worrying stories emerging of apparent data sharing arrangements between the NHS Information Centre (NHSIC), and its successor, the Health and Social Care Information Centre (HSCIC), I start to think the ICO’s comments are remarkable for what they might reveal about them looking in the wrong direction, when they should have been paying more attention to the lawfulness of huge scale data sharing arrangements between the NHS and private bodies. And now, The Sunday Times reports that

A BILLION NHS records containing details of patients’ hospital admissions and operations have been sold to a marketing consultancy working for some of the world’s biggest drug companies

I think it is time for a wholesale review, properly funded, by the ICO as independent regulator, of these “formal data sharing” arrangements. They appear to have a questionable legal basis, based to a large extent on questionable assumptions and assurances that pseudonymisation equates to anonymisation (which anyone who looks into will realise is nonsense).

And I think the review should also consider how and why these arrangements appear to have deliberately been taking place behind the backs of the patients whose data has been “shared”.

Leave a comment

Filed under care.data, Data Protection, data sharing, Information Commissioner, monetary penalty notice, NHS, Privacy

Analysis prompted by Morrisons “data breach”

Yesterday’s data breach involving Morrisons supermarket and its staff payroll illustrates how difficult it is properly to handle such incidents, and perhaps provides some learning points for the future. But also raises issues about what is a “data breach

What do we mean by “data breach”, “personal data breach”, “data security breach” etc?

The draft European General Data Protection Regulation (GDPR), which continues to slouch its way towards implementation, says in its current form that

In the case of a personal data breach, the controller shall without undue delay notify the personal data breach to the supervisory authority [and]

When the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay
“without undue delay” is, by virtue of (current) recital 67, said to be “not later than 72 hours” (in the original draft it was “where feasible, within 24 hours”). However “personal data breach” is not defined – it is suggested rather that the proposed European Data Protection Board will set guidelines etc for determining what a “breach” is.What is not clear to me is whether a “breach” is to be construed as “a breach of the data controller’s legal obligations under this Regulation”, or, more generally, “a breach of data security”. Certainly under the current domestic scheme there is, I would argue, confusion about this. A “breach of data security” is not necessarily equivalent to a breach of the Data Protection Act 1998 (DPA). To give a ludicrous example: if a gunman holds a person hostage, and demands that they unencrypt swathes of personal data from a computer system and give it to them, then it is hard to see that the data controller has breached the DPA, which requires only that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (which clearly cannot be construed as an unlimited obligation) but there has most certainly been a breach of data security.

It is unclear whether Morrisons chose to inform the Information Commissioner (ICO) about their incident, but the wording they’ve used to describe it suggests they are seeing this not as a breach of their obligations under the DPA, but as a potentially criminal act of which they were the victim: on their Facebook page they describe it as an “illegal theft of data” and that they are liaising with “the police and highest level of cyber crime authorities” (a doughnut to anyone who can explain to me what the latter is, by the way). If an offence has been committed under section 55 of the DPA (or possibly under the Computer Misuse Act 1990) there is a possible argument that the data controller is not at fault (although sometimes the two can go together – as I discuss in a recent post). Morrisons make no mention of the ICO, although I have no doubt that they (ICO) will now be aware and making enquiries. And, if Morrisons’ initial assessment was that they hadn’t breached the DPA (i.e. that they had taken the appropriate technical and organisational measures to mean they were not in breach of the seventh DPA principle), they might quite understandably argue that there was no need to inform the ICO, who, after all, regulates only compliance with the DPA and not broader issues around security breaches. There was certainly no legal obligation under current law for Morrisons to self-notify. Plenty of data controllers do, often ones in the public sector (the NHS Information Governance toolkit even automatically delivers a message to the ICO if an NHS data controller records a qualifying incident) but even the ICO’s guidance is unclear as to the circumstances which would trigger the need to self-notify. Their guidance is called “Notification of data security breaches to the ICO” but in the overview at the very start of that guidance it says

 
Report serious breaches of the seventh principle
Ultimately I see it boiling down to two interpretations: report a data security breach so that the ICO can assess whether it is a serious breach of the seventh principle, or, assess the data security breach yourself, and if you assess it as a serious breach of the seventh principle, report that to the ICO. This is not obligatory under the current domestic data protection law, so to an extent it is an arid discussion, but if the obligation to notify does become obligatory under the GDPR it will become much more important.There is one domestic law under which it is obligatory to report a “personal data breach”. The Privacy and Electronic Communications (EC Directive) Regulations 2003 amended by 2011 Regulations, require a provider of a public electronic communications service to notify the ICO of
 
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service
This notably does not specify that the breach has to constitute a breach of the service provider’s DPA obligations, and one wonders if this is the sort of thing that will be specified as a breach once the GDPR is implemented.
 
Morrisons’ notification to data subjects
The people whose data was apparently compromised in the Morrisons “breach” were its staff – it was payroll information which was allegedly stolen and misused. It appears that Morrisons emailed those staff with internal email addresses (how many checkout staff and shelf-stackers have one of those?) and then, as any modern, forward-thinking organisation might, it posted a message on its Facebook page.However, I really wonder about that as a strategy. The comments on that Facebook page seem to be threatening to turn the incident into a personnel, and public communications disaster, with many people saying they had heard nothing until they read the message. Moreover, one wonders to what extent some staff might have been misled, or have misled themselves, into assuming that the comments they were posting were on some closed forum or network. As was suggested to me on twitter yesterday, some of the comments look to be career-limiting ones, but by engaging on its social media platform, might Morrisons be seen to have encouraged that sort of robust response from employees?

 

Much of this still has to play out – notably whether there was any contravention of the DPA by Morrisons – but, in a week when their financial performance came under close scrutiny, their PR handling of this “data breach” will also be looked at very closely by other data controllers for lessons in case they are ever faced with a similar situation.

 
 
 
 

1 Comment

Filed under Breach Notification, Data Protection, employment, Information Commissioner, PECR, social media