By Helena Marttila-Bridge and Oliver Grazebrook
Earlier this month, the UK’s Information Commissioner’s Office (“ICO”) released statistics showing that over 25% of the 335 data breaches reported between 1 April 2013 and 30 June 2013 came from the health sector. This comes as no surprise considering that the last 12 months have seen a string of widely reported data breaches in the health sector that have resulted in the ICO issuing fines. For example, in July, NHS Surrey was fined £200,000 for selling a laptop containing confidential patient details over eBay.
One explanation for these high figures is the fact that the English health sector, unlike many other sectors, is subject to mandatory reporting obligations following data breaches. These reporting obligations have recently been updated, and from June 2013 onwards all public health sector bodies as well as their processors processing health and adult social care personal data have been required to use the Information Governance Toolkit Incident Reporting Tool (the Guidance for which is available here) administered by the Department of Health (“DoH”) to report certain data breaches to the DoH and the ICO. The Guidance contains a checklist intended to help healthcare organisations decide whether the data breach needs to be reported, based on factors such as the number of people and the sensitivity of the clinical data involved.
In addition to the healthcare sector, the ePrivacy Directive subjects telecommunications operators, internet service providers and other public electronic communications service providers to the obligation to notify data breaches to the data protection authorities, and in serious cases, to the affected individuals. This notification obligation has recently been amended by Regulation 611/2013, which came into force on 25 August 2013, which aims to ensure that personal data security breaches are notified consistently across the EU.
Further, such breach notification obligations may soon be extended to other companies as well. The Commission’s proposed Data Protection Regulation contains provisions requiring all data controllers to notify data protection authorities of any data breaches within 24 hours and to notify individuals if the breach is likely to “adversely affect” the protection of their personal data.
Until a final version of the Data Protection Regulation comes into force, those businesses not subject to mandatory reporting obligations must decide for themselves whether or not to notify the relevant authority and the individuals concerned. An early notification will show transparency and can be taken into account when the regulator decides whether to impose sanctions, but overzealous notification could unnecessarily draw attention to privacy flaws. The key to responding effectively to a data breach is to ensure that the business is suitably prepared. Therefore, in order to help businesses prepare themselves, our colleagues have prepared this 10-step guide on managing the risks of a data breach.