The data protection regulator the ICO (the Information Commissioner’s Office) reports that in the quarter year April to June 2016 it received 545 new cases – about a 22pc increase on the number of cases received in the previous quarter (448). In those three months the ICO issued fines to –
Chief Constable of Kent Police for £80,000;
Blackpool Teaching Hospitals NHS Foundation Trust for £185,000;
Chelsea and Westminster Hospital NHS Foundation Trust (56 Dean Street clinic) for £180,000; and
Chief Constable of Dyfed Powys Police for £150,000.
As those may suggest, the health sector continued to account for the most data security incidents; as the NHS makes it mandatory to report incidents. The main data security issues within the health sector were:
•Data being posted or faxed to an incorrect recipient – 19 per cent of incidents.
•Loss or theft of paperwork – 19 per cent of incidents.
In the Blackpool case, the trust is required to publish equality and diversity metrics annually on its external website and the error occurred during this process. Once the metrics had been uploaded, the personal data in question could be accessed via a pivot table. It is important that care is taken when providing data in the form of pivot tables – despite the fact that the underlying data is not immediately visible on the screen it could still be accessed. And the Chelsea and Westminster case involved a newsletter being sent to patients of a HIV clinic; the sender failed to use the ‘bcc’ function, therefore disclosing the identities and inferring the HIV status of recipients. The trust had had a similar incident in 2010, yet failed to replace the email account it was using with an account that could send a separate email to each service user on the distribution list.
The main issues for local government were:
•Data being posted or faxed to an incorrect recipient – 27 per cent of incidents.
•Failure to redact data – 26 per cent of incidents.
The main issues in education were:
•Data being sent by email to an incorrect recipient – 18 per cent of incidents.
•Cyber incidents – 18 per cent of incidents.
•Loss or theft of unencrypted devices – 18 per cent of incidents.
•Data being posted or faxed to an incorrect recipient – 12 per cent of incidents.
The main issues in general business were:
•Data being posted or faxed to an incorrect recipient – 15 per cent of incidents.
•Data being sent by email to an incorrect recipient – 13 per cent of incidents.
•Cyber incidents – 13 per cent of incidents.
The main issues for finance, insurance and credit were:
•Data being posted or faxed to an incorrect recipient – 38 per cent of incidents.
•Cyber incidents – 15 per cent of incidents.
The main issues for the charitable and voluntary sector were:
•Cyber incidents – 31 per cent of incidents.
•Loss or theft of paperwork – 21 per cent of incidents.
Under the Privacy and Electronic Communications Regulations, communications service providers have a specific obligation to notify the Information Commissioner – and in some cases their own customers – about a ‘personal data breach’. Between April and June 2016, service providers notified the ICO of 235 separate breaches. The number of incidents reported to the ICO has increased steadily throughout the past four financial quarters.
There were 50 cyber incidents between April and June 2016. The most common incident type involved cyber security misconfiguration. This issue arises when people who do not have authorisation to access particular personal information are able to view it or even extract it, due to incorrect/inadequate security settings.
