Category Archives: Breach Notification

August 31, 2012 · 10:22 am

Data Security and Churnalism

On the lazy reporting of a silly story about increases in data breaches

Over the past couple of days the following have all published stories on the fact that data breaches in the UK have “rocketed” or “spiked” by an “alarming” 1000% over the last five years.

Computer Business Review
Techweek Europe
The Nextweb
Public Service
Help Net Security
V3.co.uk
Computing.co.uk
SC Magazine
UKAuthority.com
The Register
Computer World UK
The BBC

These are mostly well-respected news sources, serving either the tech industries or the public sector. All of them report this story as though the news that self-reporting to the Information Commissioner of serious data breaches is a bad thing. I’ve given the links to the stories not because I want to increase their clicks, but to show the remarkable similarity between them. This is not surprising, as they are all picking up on a press release by Imation (ironically, as a non-hack, I don’t have access to it) which was issued following an FOI request to the Information Commissioner. The response to the request showed that, indeed, in 2007-08 the number of breaches reported to the ICO was 79, and in 2011-12 it was 828. But does that really mean that “Data breaches in the UK have increased tenfold in the past five years” as the BBC put it?

The answer, certainly, is “no”.

The reporting of breaches has increased by that proportion. But that is not particularly surprising. As far as I recall the first guidance issued by the ICO on reporting serious breaches was only issued in July 2010.  Before that while there may have been an inferrable assumption that serious breaches should be reported, there was not much in the way of clear direction or expectation until relatively recently. This expectation has become much more explicit since the ICO gained powers to issue civil monetary penalties for serious breaches. Now, all major data controllers know that when there is a serious breach of data security it needs to be reported to the ICO (and for telecoms providers, there is a lawful requirement to do so under the Privacy and Electronic Communications (EC Directive) Regulations 2003).

But is it a bad thing that numbers of reported incidents has increased? Of course not. All breaches of data security are to be regretted, and lessons learnt to avoid they don’t recur. But data controllers need to be encouraged to recognise breaches, and put their hands up when they happen. The ICO even considers self-reporting to be a mitigating factor when assessing what action he should take.

I doubt that many, if any of the people writing for the websites I link to above really think that data security breaches (rather than reports of breaches) have increased 1000% over five years. I’m sure their writers and reporters are very busy, and an eye-catching press release makes for easy copy. But these websites (with the execption of the BBC) are important and specialist sources of information. For them to resort to “churnalism” (a form of journalism in which press release…are used to create articles…without undertaking further research or checking) at the expense of common-sense, especially when it might lead to greater reluctance to self-report, is greatly to be regretted.

 

 

 

 

 

 

 

 

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner, PECR

Tagged as ,

May 21, 2012 · 1:35 pm

Will NHS appeal ICO fine? Let’s hope so.

The Information Commissioner (ICO) today announced that it had imposed a monetary penalty notice (MPN), under section 55A of the Data Protection Act 1998 (DPA), against Central London Community Healthcare NHS Trust. The penalty was in the sum of £90,000, and was imposed after

patient lists from the Pembridge Palliative Care Unit, intended forSt John’sHospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

 The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions”

 All very interesting, particularly because this was only the second MPN imposed on an NHS body, after one last month against the Aneurin Bevan Health Board.

 What was even more interesting, however, was to read on the publicservice.co.uk website that CLCH Trust are saying they will appeal the MPN. This would be the first such appeal, and would be very important in terms of getting some judicial opinion on the law and the ICO’s application of it.

 Section 55A of the DPA gives the ICO the power to impose an MPN, while section 55B provides that a person on whom the notice is served may appeal to the First Tier Tribunal (Information Rights) against both the issue of the notice and the amount.

 Regulations and an Order (the snappily-titled The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and The Data Protection (Monetary Penalties) Order 2010) make further provision for both the imposing of and appeal against an MPN. Additionally, under section 55C the ICO must issue guidance on “the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and how he will determine the amount of the penalty”.

On appeal the Tribunal can consider both whether the MPN was in accordance with the law and whether, to the extent that it involved an exercise of discretion by the ICO, he ought to have exercised that discretion differently. The statutory section 55C guidance, and whether the ICO has adhered to it, will clearly be important, but so will, I would suggest, any evidence as to consistency of approach. An appellant would do well to submit evidence of examples where similar or worse apparent breaches of the Act have not resulted in an MPN. As Stewart Room wrote some months ago

 what is ICO’s plan? By this I mean, how does ICO arrive at its figures and how are they justified?

We’re probably not going to get to the bottom of this until someone takes a case on to appeal, but as we are nearly two years into the fining regime I think we’ve arrived at the point when we can legitimately expect ICO to explain where it is heading with the fine and what has driven it’s decisions so far.”

Perhaps we have indeed now arrived at that point.

EDIT, 7 August 2012:

The Trust are indeed appealing the MPN, and the Information Tribunal has listed it for a three-day-hearing in December. This will be a major case.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner

February 17, 2012 · 4:30 pm

Police complaints, a databreach and a High Court injunction

I notice an interesting application in the High Court.

 The Independent Police Complaints Commission (IPCC) has been granted an injunction (actually, a second injunction) requiring that the first defendant, a Mark Warner, disclose to the IPCC the identity of the second defendant -“person(s) unknown” – who Mr Warner has indicated is holding certain information about a third party, as well as the circumstances in which they came to be in the possession of those person(s) unknown.

 The reason I’m posting about this is that it appears that the IPCC disclosed the information about the third party in error to Mr Warner while responding to a subject access request under section 7 of the Data Protection Act 1998 (DPA).

 Mr Warner apparently received some of his own data in response to that section 7 request, but feels that there is further information to which he is entitled, and for his own reasons, has refused to return the papers relating to the third party sent to him by mistake, saying (in a telephone conversation with the IPCC):

If I do not get [the further material which he wants the IPCC to provide to him] within a reasonable timeframe I will not only hang onto the information which I have been sent in error, but I will identify it to Fleet Street

 The IPCC brought the current application not only to protect its own rights, but the Article 8 rights of the third party.

 One wonders if the Information Commissioner has been informed. Inadvertent disclosure of personal data of a third party, of a kind which requires a high court injunction to identify the “person(s) unknown”, sounds like a serious contravention of the DPA of a kind likely to cause substantial damage or distress. Such contraventions can attract monetary penalty notices of up to £500,000.

 As several local authorities know to their cost.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner, police, Privacy

January 10, 2012 · 7:11 pm

Potential big DPA fine for NHS Trust

The Argus, a Brighton newspaper, is reporting that Brighton and Sussex University Hospitals NHS Trust has been served with a “notice of intent to fine” by the Information Commissioner (IC), for a breach of the Data Protection Act 1998 (DPA). The sum proposed is £375,000.

Assuming the story is true, the notice of intent to fine would be, strictly, a notice of intent, under s55B of the DPA, to impose a Monetary Penalty Notice (MPN). MPNs were introduced into the DPA by the provisions of Criminal Justice Act 2003. They provide a means whereby the IC can impose financial sanctions on Data Controllers for serious contraventions of the data protection principles. The maximum amount for an MPN is £500,000, and the sums levied are not retained by the IC, but go to the consolidated fund.

The paper says

The incident relates to the theft of 232 drives out of 1,000 being decommissioned.

The Sussex Health Informatics Service was responsible for the disposal of the drives on the trust’s behalf and had appointed an individual to carry out the job.

In December 2010 it emerged four hard drives had been bought by a data recovery organisation on eBay.

The buyer contacted the trust and the drives were collected with the information destroyed.

An investigation revealed that 232 hard drives in total had been stolen and sold on.

The trust worked with the ICO, NHS Counter Fraud and Sussex Police and all the drives have been recovered.

The trust says there was a very low risk of any of the data being passed into the public domain.

Several points arise from this.

At a proposed £375,000 this MPN, if imposed, would be by far the highest so far served on a data controller. The previous highest – £130,000 – was imposed in December last year on Powys County Council.

The fact that news of the proposed MPN has come out before it has been actually served (that is, at the “notice of intent” stage) is perhaps connected with the fact that the Argus reports that “The trust says it will be contesting the fine”. By s55B(5) of the DPA a data controller in receipt of an MPN may appeal to the Information Tribunal against both the issue of the MPN, and the amount. If the Trust are contesting the fine now, they may ultimately decide to appeal to the Tribunal. This would be interesting: most of the guidance on sanctions for serious contraventions of the DPA comes from the IC himself, and from previous MPNs and undertakings. Many data controllers would find it helpful also to have some judicial analysis to draw on in these circumstances.

Until now, nearly all MPNs have been imposed on local authorities. I’ve previously questioned why this was, and posited that it would be a high risk move for the IC to serve an MPN on the NHS:

one wonders what sort of critical media coverage might ensue, as well as what the effect on the reputation of the DPA regime would be, if the IC were to impose hefty monetary penalties on the NHS. And as the sums levied go not towards improving general data security, but rather straight into the government consolidated fund, one begins to see why it might not be a particularly attractive option: a regulator who takes direly-needed money from the NHS, and places it in the government’s wallet, could well struggle to maintain popularity with the media and the public.

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

1 Comment

Filed under Breach Notification, Data Protection, Information Commissioner

Tagged as , ,

December 2, 2011 · 9:03 am

Mandatory breach reporting and the public interest

In May of this year the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amended the existing Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”).

The regulations apply to different bodies in different circumstances (for instance those parts relating to cookies, which apply effectively to anyone using cookies on their website). However, a key amendment applies to specifically to providers of a public electronic communications service (broadly, telecoms companies and internet service providers): regulation 5A(2) of the PECR now says

If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner.

This is the first appearance in domestic law of a mandatory requirement to inform the Information Commissioner (IC) of a data breach. “Data breach” itself  is defined as

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service

While a PECR data breach is not, expressly, a breach of the Data Protection Act 1998 (DPA) I cannot imagine circumstances in which a PECR breach would not also involve a breach of the provisions of the DPA (and – specifically and primarily – the seventh data protection principle). How the IC responds to notifications made to him under regulation 5A(2) will, therefore, be of interest to all data controllers.

This is because the imminent new European data protection instrument (either a new Directive or a Regulation) is likely to introduce mandatory data breach reporting into the Data Protection laws. It is not yet clear how far the requirement would extend. In an interview on 16 November with The Washington Post the EU Justice Commissioner, Vivian Reding, said

…we will now have such rules on notification for all sectors so citizens will know when their data has been breached, whether by criminal intent, accidental or other circumstances. We already have this rule for telecom companies but not for other sectors such as e-banking services, private-sector medical records and online shopping. We will extend the telecom rules to the Internet.

So will mandatory notification apply to “all sectors” or just (in addition to telcos/ISPs) “e-banking services, private-sector medical records and online shopping”? We’ll have to wait and see.

I made a Freedom of Information Act 2000 (FOIA) request to the IC asking how many mandatory notifications had been made to this office since the amended PECR came into effect, and by whom and whether the companies involved had informed data subjects of the breach. The IC’s response is that 76 notifications have been made (they don’t say, but I presume this is to the 3 November, the date of my request) and in 64 of these cases data subjects were also informed. By way of explanation for the latter figure the IC says

…it is not a requirement of the regulations for providers to tell the ICO whether or not they have notified data subjects. The service providers only have to inform subscribers where ‘the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user’. If that is the case they have to ‘without undue delay, notify that breach to the subscriber or user concerned.’

When it comes to disclosing the names of the companies involved, however, the IC is scratching his head. He has identified (at least this is how I read his response) that disclosing this information would prejudice the commercial interests of those companies, and that, therefore, section 43 of FOIA is engaged. Having decided this, however, he has to consider (under section 2(2)(b) of FOIA) whether

in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information

Section 10(3)(b) of FOIA allows authorities to extend the time for compliance with a request (from 20 working days) where they need to consider the public interest test. FOIA itslef unhelpfully only says that it can be extended by “such time as is reasonable in the circumstances” but the IC himself advises that the maximum time that should be taken, in total, is 40 working days. His office has advised me that this applies with my request for names of companies, and it

…may take up to an additional 20 working days to take this decision.  We therefore aim to provide you with a response to this part of your request for information by 23 December 2011

This is, of course, completely acceptable, and I’ll update this post when I get the response, but three things occur to me.

First, if or when mandatory breach notification is extended to other organisations, they will need to be aware that people may request information about such breaches from the IC, and that there is a clear public interest in such information.

Second, if the IC is wrestling with the public interest factors this is clearly a finely-balanced point, and if he comes down against disclosure then this might be a case worth appealing.

Third, surely the IC anticipated that he would get such requests? I’m surprised he hadn’t already considered this public interest point.

 

 

1 Comment

Filed under Breach Notification, Data Protection, Freedom of Information, PECR, Privacy