The Information Commissioner's Office (ICO) has again issued a significant fine for breach of the Data Protection Act 1998 (DPA) following the loss of a portable device.
A £15,000 fine was imposed on a nursing home in Northern Ireland which was found to have failed to properly protect the sensitive personal data it held. The data in question related to employees as well as the nursing home's vulnerable residents and covered details including dates of birth, health, resuscitation status as well as sickness absence records and details of disciplinaries. As such the loss of the data was likely to cause substantial damage and distress to the individuals concerned.
The breach occurred when a staff member's home was burgled during the night and a work laptop, which was unencrypted (but password protected), was taken. The laptop had been left in a bag in the staff member's living room.
The ICO investigation found that Whitehead Nursing Home did not have any policies in place covering homeworking, the storage of mobile devices or encryption and inadequate training on data security had been provided. This was despite the laptop being taken home on a regular basis for work to be completed. There was no reason why the nursing home had not taken appropriate safeguarding measures despite knowing that a staff member was using an unencrypted portable device to store confidential and sensitive personal data.
Size of the fine
Whilst the breach was considered to be serious given the nature of the data and the number of individuals affected, the fine reflected the size of the nursing home. Larger businesses and organisations responsible for a similar level of data breach would most likely be facing a much higher penalty.
Data protection principles
The DPA emphasises the importance of data security as one of the eight data protection principles; a data controller must have appropriate technical and organisational measures in place to prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of, as well as damage to, that personal data.
This requirement for security of data remains a key principle in the new General Data Protection regulation (GDPR) due to replace (or at least amend) the DPA in May 2018. See our previous article on this.
However, the GDPR contains a new accountability requirement which will require data controllers and data processors to be able to demonstrate compliance with the principles. Hence the need for appropriate data compliance policies and proactive and regular training on such policies will increase.
This latest publicised breach should make all organisations collecting and processing personal data of customers, clients and employees, consider what steps they have in place to protect that data? Data stored on high risk portable devices is particularly vulnerable. Organisations should also have plans in place to enable them to properly respond to any data breach as this is another area where the GDPR expands on the existing requirements of the DPA.
Data security is not just about having the right technology (such as robust passwords and encryption), although that is important, but also making sure employees understand how to comply with practical data protection requirements both in and out of the workplace. This can be achieved through having the right policies in place, giving regular and comprehensive training on the requirements and careful management to ensure the policies are implemented.
The level of security used should be appropriate to the harm that may result from that data being lost, damaged or processed unlawfully. Therefore sensitive data stored on a portable device which are at higher risk of loss and theft, as in this case, should attract a higher level of protection both technologically and physically.