The Information Commissioner’s Office (ICO) has confirmed that it has received a breach report in relation to the Princess of Wales’ recent hospital stay at the London Clinic. It’s alleged that one or more staff members tried to access the Princess’s medical records in breach of patient confidentiality, bringing a new legal dimension to the Kate Middleton media storm. If this breach is confirmed, it will seriously damage the reputation of the clinic, where several members of the royal family and other high-profile celebrities have been treated.
To help you avoid and/or deal with data breaches occurring at your own business, we’ve set out some guidance below about how to keep your business’s data secure, what a data breach is, what to do if a data breach occurs, and when and how to notify the ICO of a data breach. Our Data protection policy toolkit and Data breach toolkit can help you keep personal information secure and deal with a data breach in the event one occurs.
What security measures do I need when I am storing personal data electronically?
It’s likely that your business will store much of the personal data it has collected in an electronic format. This could leave it exposed to security breaches as a result of theft, unauthorised staff access, loss of or damage to physical equipment, or attacks by malicious software, ransomware or phishing emails.
The detail of the security measures you should be taking will be heavily dependent on the nature of your business, any relevant industry standards and best practice guidance, what personal data you are storing and what format it takes. When determining what security measures to put into place, you should consider the following:
- the physical security of your equipment;
- restricting access to personal data;
- using encryption; and
- cybersecurity measures.
You can find further guidance on each of these measures in our Q&A.
It’s important that you make sure that the equipment on which data is stored is physically secure, and that the data itself is technologically secure. Train your staff to appreciate the importance of data protection and of carrying out any internal data-handling policies you have (eg an IT security policy), including what to do about taking personal data offsite (eg on laptops, USB drives or phones). For template policies you can use setting out appropriate security measures for your staff to follow, use our IT, communications and social media policy and our Bring your own device policy.
You should regularly test and evaluate the security of the measures you take to protect stored personal data, to make sure that those measures remain sufficient for your purposes. Document the results of any testing and act on any shortcomings found.
Personal data breaches
What is a data breach?
A personal data breach is a security breach that leads to the accidental or illegal destruction, loss, alteration or unauthorised disclosure of personal data. It also covers a situation where unauthorised access has been given to personal data. A security breach can be caused accidentally or deliberately.
All of the following situations are examples of potential data breaches:
- A device (eg laptop or USB stick) containing a database of customers’ personal information is lost or stolen.
- Your business’s systems are accessed remotely by a hacker or other person without authority.
- A member of staff accidentally deletes data from your systems: the data cannot be retrieved and is not backed up.
- A power failure renders personal data unavailable and prevents you from accessing data;
- You leave a document, CD or USB stick on a train. Even if you recover it at a later date, a breach will have occurred for the period it was outside your control.
- A staff member accesses information without authorisation (as alleged in the Kate Middleton/London Clinic case).
- You send an email containing customers’ or employees’ personal information to the wrong address.
If a breach of security occurs which puts the confidentiality, availability or integrity of personal data you hold at risk, you should treat it in the first instance as a personal data breach. The extent of your legal obligations when you become aware of such a data breach depends on the nature of the data affected and the potential risk posed to individuals.
What should I do if I become aware a personal data breach may have occurred?
When you become aware that a personal data breach has occurred, you should take the following steps as soon as possible, and in most cases within 72 hours:
- Take practical steps to contain the breach and recover any data.
- Identify whether personal data is affected by the breach.
- Determine whether you are a data processor or a data controller, as your obligations are different depending on which role your business carries out.
- Assess the risk the breach potentially carries to individuals. The greater the risk, the more onerous the obligation to notify.
- Notify the ICO of the breach, where you have determined that the breach carries some potential risk to individuals.
- Notify the individuals whose data is affected, where the breach carries a high risk to the rights and freedoms of the individuals involved.
- Keep a written record of the breach.
For a single-page checklist summarising the steps and process set out above, see Checklist for responding to a data breach. Use Data breach toolkit for a how-to guide and the documents you need to deal with a data breach.
In more serious cases, failure to make the necessary notification or keep a written record of such breaches can result in a significant fine of up to £8.7 million or 2% of your global turnover (whichever is higher).
When do I notify the ICO of the personal data breach?
If you decide that a personal data breach potentially carries some risk to individuals, you should notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The precise point when you become aware of a breach will depend on the particular circumstances, but as soon as you or one of your employees realises that a breach has occurred, the 72-hour clock will begin. This emphasises the importance of having internal processes for notifying a breach. For a template personal data breach policy, see Personal data breach policy.
In certain limited circumstances, if you are unable to provide all of the information within the relevant 72-hour period, you can make a staged or delayed notification. However , you must give reasons for the delay.
You can find more information about dealing with the ICO and data breaches here.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.