Social care and GDPR – one year on
One year on from its implementation date, GDPR hit the headlines again. Dan Meadon-Bower discussed what it means for the social care sector.
On 8 July the Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority, announced its intention to issue the airline with a £183.9 million fine for infringements of the GDPR (the General Data Protection Regulation) – this amounts to 1.5% of its global turnover.
The size of the potential fine caused shockwaves, dwarfing the ICO’s previous highest fine of £500,000 issued to Facebook for the Cambridge Analytica scandals under the pre-GDPR regime. It would also be the highest GDPR related fine in Europe to date, beating the previous record of Google’s €50m fine in France. Just a day later the ICO announced another hefty fine, this time for hotel chain Marriott International. This passed with much less fanfare, being a mere £99.2 million.
As the first big GDPR fines for the ICO, there has naturally been a lot of buzz around the cases. But there is nothing inherently new about them. GDPR has already fundamentally altered the compliance risk landscape for organisations, with potential for fines of up to €20m (or up to 4% of global turnover if higher), not to mention possible compensation claims from individuals. The ICO has already been issuing GDPR enforcement notices, and European regulators have been issuing fines since last year – €50m in the case of Google in France. The ICO’s warning that “when you are entrusted with personal data you must look after it” is simply an echo of all guidance issued to date.
However these cases are a timely reminder that GDPR isn’t just a bad memory from May 2018, it is an ongoing commitment that all organisations need to take seriously.
Lessons for the Care Sector
What can be learnt from BA or Marriot? Unfortunately not very much, as the ICO is yet to issue its reasoning behind either fine. We know they both relate to cyber incidents reported in 2018, and both involved the compromise of huge numbers of customer details – 500,000 customer financial records for BA, 339 million guest records globally for Marriott. BA is accused of “poor security arrangements”, and Marriott is accused of failing to secure its systems. Beyond this, though, we need to wait for the inevitable challenges from BA and Marriott to play through before the ICO issues any actual fines and its reasoning.
For now we can look to Europe for a cautionary tale for the care sector, coming from a hospital in Portugal. In October 2018 the Centro Hospitalar Barreiro Montijo (CHBM) received Portugal’s first GDPR fines, totaling €400,000. CHBM was found to have breached GDPR in a number of ways that may make some think:
1. Non-medical staff had IT access to patients’ medical records (a breach of ‘need to know’ principles)
2. All doctors had access to all patient records, whether they needed it or not (a breach of ‘minimisation’ principles)
3. test profiles were set up with full unrestricted access rights, and user accounts were not deactivated quickly enough when no longer required (failure to adopt appropriate technical and organisational measures).
As an aggravating factor CHBM took the view that this was a third party IT system for which they were not responsible. The Portuguese regulator gave this short shrift, re-iterating that it was the hospital’s responsibility to ensure adequate security measures were implemented, particularly in relation to having technical rules defining access to sensitive health data.
This last paragraph is important, and touches on a key feature of the Marriot case. Marriot’s wasn’t in its own systems, but those of a company it had acquired two years previously. Not only had that company not spotted the breach since 2014, but neither did Marriott from when it acquired the company in 2016. The ICO noted that Marriot had “failed to undertake sufficient due diligence when it bought Starwood” or do more to secure its systems thereafter. Care providers working with legacy systems, perhaps inherited from previous owners, may want to double-check those GDPR audits.
One key emerging theme from enforcement actions across Europe is the need to be pro-active and open with regulators if a breach occurs, to promptly rectify the systems failures, and to reassure regulators that you aren’t going to be a repeat offender – in short, investigate, remediate and communicate. CHBM failed to do this and received higher fines than it might otherwise have done. Crucially BA did appear to do this, which may be why their proposed fine is just 1.5% of global turnover instead of being nearer the maximum.
The lessons from GDPR enforcement so far are simple: know where personal data is located, control the access to it, document the legal grounds for processing it, and be open with your regulators.
Dan Meadon-Bower is a Commercial, Technology and Innovation Partner in the Social Care team at Royds Withy King. He can be reached by email: Dan.Meadon-Bower@roydswithyking.com. Visit www.roydswithyking.com for further information.
Pictured above Dan Meadon-Bower