Data Matters - September 2023

Information Commissioner Update
ICO update

1. Data Breaches

Breaches in the news

Over the summer, the country has seen reports of two major data breaches: one by the Police Service of Northern Ireland (PSNI), and one by the Electoral Commission. In this article we discuss how the ICO is likely to consider approaching enforcement action and potential fine levels, by reference to its regulatory guidance and past practices. The ICO has previously confirmed that they consider that data protection compliance is an ongoing and iterative process and all organisations should carefully monitor any regulatory action taken by the ICO to identify any lessons which may apply to the way in which they process personal data and to minimise the risk of a similar breach occurring.

Breach backgrounds

PSNI’s breach resulted from a published Freedom of Information request, in which a spreadsheet released only for a few hours unintentionally included names, ranks and departments of around 10,000 staff. The Electoral Commission’s data breach appears to be larger in scale and due to external bad actors; a cyber-attack led to perpetrators gaining access to the Commission’s email control systems and reference copies of the electoral registers. The two breaches therefore have very different characteristics: the PSNI breach appears to be the result of an internal error, and presents a risk to the safety of subjects arising out of sectarian conflict; the Commission’s breach is the result of a cyber-attack, affects a far larger number of subjects, and represents a risk of economic loss through fraud.

Importantly, the Commission breach also aggravates the potential damage of the PSNI breach, by potentially allowing malicious actors to identify the home addresses of PSNI staff.

ICO guidance

The ICO’s key guidance is its Regulatory Action Policy (the Policy). The Policy sets out how the ICO approaches enforcement, including the various enforcement tools available, how it evaluates severity and, importantly, how it evaluates any fines to be levied.

Likely action regarding breaches

The ICO has taken the position more generally that it is inappropriate to levy fines against public bodies, on the basis this in effect only takes public funding from service users. Any likely action taken against PSNI or the Commission will therefore be limited to:

(i) a written reprimand if the two organisations willingly review and improve their compliance; and/or
(ii) an enforcement notice if they fail to implement any suggested improvements. However the ICO could still issue a small fine as a measure of how seriously it is treating the breach, levied as a proportion of what would have been a much larger figure had either organisation been in the private sector.

Key takeaways

What the breaches highlight is how context specific the seriousness of any data breach can be. In the case of the PSNI breach no home addresses or contact details were released, however the fact that it involved the names of serving officers, their roles and current deployments (including intelligence officers) highlights that whereas in one setting names and roles may be considered fairly anodyne and non-sensitive personal data. A breach in this context makes the release of such information puts the individuals concerned at very high risk. Equally, the cyber-attack on the Electoral Commission leading to the exfiltration of names and addresses from their systems may appear relatively benign on its own, but that information when combined with other relevant data could cause significant distress and apprehension to the individuals affected, for example, release of the Commission data could aggravate the potential impact of the PSNI breach to serving officers, by allowing malicious actors to identify the home addresses of PSNI staff.

2. ICO Enforcement Action

(i) Reprimand for data breach

NHS Lanarkshire was also reprimanded for sharing the personal data of patients via a team WhatsApp group. WhatsApp had not been approved by the NHS Lanarkshire for processing personal data, and was being used by the team without organisational knowledge during the COVID-19 pandemic. Between 1 April 2020 and 25 April 2022, there were at least 533 messages including patient names, phone numbers, dates of birth and addresses. There were also images and videos of patients shared, amounting to special category health data. An unauthorised individual was also added to the WhatsApp group resulting in various inappropriate disclosures. This case demonstrates the difficulty of managing data protection where staff were working remotely during the COVID-19 pandemic.

The ICO considered that NHS Lanarkshire did not implement appropriate technical and organisational measures to ensure the security of the personal data. The ICO said they should have:

• completed a risk assessment prior to making WhatsApp available to download;
• issued communications to staff when WhatsApp was made available to download to outline expectations regarding the handling of personal data via official and approved channels (eg. email);
• developed a standard operating procedure for WhatsApp; and
• issued communications to staff at the outset of the COVID-19 pandemic to outline expectations regarding the handling of personal data when working practices became more remote.

Going forwards, the ICO stated that before deploying new applications, NHS Lanarkshire should ensure that risks relating to personal data are considered, assessed and mitigated, and explicit communications and/or guidance should be issued to employees to explain data protection responsibilities. NHS Lanarkshire should make it clear when applications are not approved for processing personal data.

With work WhatsApp groups commonplace in all sectors, all organisations should be reviewing their social media and “bring your own device” policies (if any) to ensure that personal data is not being inappropriately shared on social media and other messaging platforms.

The reprimand and details of the case are available here: ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp | ICO

(ii) Regulatory action against five public bodies – FoI requests

In August, the ICO informed that it had taken action against five public bodies under FoI legislation for failure to meet the statutory timelines. Two organisations were issued with Enforcement notices, requiring them to respond to hundreds of requests that had passed the legal deadline for a response. In some cases the responses were years overdue in both organisations.

Practice recommendations were issued to three other organisations for failing to meet FoI response times and also for the high number of complaints made to the ICO in one case. The ICO noted in their press release confirming the action taken that in the 12 months since issuing their new approach to regulating public sector organisations they had taken double the action during that time than it had taken over the whole prior 17 year period since FoI legislation had first come into force. This clearly highlights the significant step change in the ICO’s attempts to deliver a much more focused and proactive regime to FoI regulation and compliance within the public sector, which is likely to continue unabated going forwards.

A link to the ICO’s blog post is available here: “We are continuing to deliver for the public” – ICO publishes practice recommendations and enforcement notices on FOI | ICO

3. ICO Guidance

(i) Freedom of Information – Upstream Regulation report

In July 2023 the ICO published a report produced by its Upstream Regulation Team which looked at FoI practitioners’ experience of dealing with FoI requests and the support they would like to see from the ICO going forward. The upstream regulation team was launched by the ICO with the aim of proactively preventing breaches of the FoI Act and EIRs. 

The team interviewed 30 FoI practitioners across five public sectors between December 2022 and January 2023 to find out more about their experiences of dealing with FoI requests and how the ICO might be able to support them going forwards. The interviews covered a range of areas including: their organisation’s current practices around FoI requests; use of training and guidance materials; what additional guidance and training they thought the ICO could offer; any barriers to compliance; examples of good practice in dealing with FoI requests within their organisation.

The report openly identified that one of the main barriers that FoI practitioners experienced was a lack of staff resource to deal with the volume of FoI requests they received, particularly in smaller organisations. Other challenges identified included:

• the difficulty of coordinating staff from other departments when information was needed and to extract that information before the statutory deadline
• receiving information in an abstract way which required additional skills in order to respond correctly to the question posed

Appendix A of the report contains a list of suggestions as to how the ICO could improve its own support for organisations in delivering better FoI compliance.

A copy of the report is available here: FOI Upstream regulation report | ICO

Bevan Brittan’s Information Law team is extremely experienced in this area and is well equipped to support your organisation with FoI/EIR compliance. In light of increasing regulatory action by the ICO to encourage organisations to achieve the statutory timescales we can support your organisation to deliver better outcomes for requestors and achieve your response targets. Don’t hesitate to contact us to find out more – our team contact details are available at Information Law | Bevan Brittan LLP.

(ii) ICO publishes guidance for employers on handling health information

The ICO has recently published guidance aimed at all employers to help them understand their obligations under data protection legislation when handling the health information of its employees and workers. The guidance highlights steps that employers need to take when dealing with workers’ health data, which will in many cases be highly sensitive and confidential. The guidance deals with a range of queries including when such information may be shared; when it may be appropriate to undertake health monitoring of your staff as well as general advice on processing sickness and injury records, and the legal bases for doing so under data protection law. Employers are strongly recommended to consider this guidance carefully and review their privacy notices to their workers and employees to ensure that they reflect when and how an organisation will process their information, as the ICO will ask to see such a document in the event a worker makes a complaint. The detailed guidance is available here: Information about workers’ health | ICO

UK Law & Policy Update

Update on DPDI Bill

In our previous edition of Data Matters, we highlighted the (re)introduction of the Data Protection & Digital Information (No 2) Bill, which replaced the previous Data Protection and Digital Information Bill.

By way of update, the new Bill had its second reading in the House of Commons in May and moved to the Committee stage. On 13 June, the Committee for the Bill concluded, having made various technical amendments to the Bill to ensure consistency with legislation. The Bill is currently at the Report Stage of the House of Commons, it will next proceed to the third reading, giving the House of Commons a final chance to debate the contents of the bill and vote on its approval. If approved, the Bill will move to the House of Lords for consideration.

A Government spokesperson previously suggested that they expect the new Bill to receive Royal Assent within a year of its introduction to Parliament (which was in March this year), but even then, most provisions will only take effect on the dates designated in Secretary of State regulations. Organisations therefore do not immediately need to plan for the Bill’s introduction, but it is worth following the developments closely to consider any changes that may be necessary next Spring/Summer. We will keep readers updated on the Bill’s progress in subsequent editions of Data Matters.

Introduction of the Data Protection (Fundamental Rights and Freedoms) Amendment Regulations 2023

As part of the changes to UK legislation arising as a result of Brexit, the UK government is introducing these Regulations under the powers granted by the Retained EU Law Act 2023 to replace wording in the UK GDPR guaranteeing the protection of individuals’ rights fundamental rights and freedoms under EU law with the rights and protections provided for under the European Convention on Human Rights, as set out within the Human Rights Act 1998. The change will take effect in January 2024. The changes arise as a result of the Retained EU Law Act 2023 repealing the European Union (Withdrawal) Act 2018 which had originally retained the EU concepts of fundamental rights and freedoms, which will be redundant in UK law by the end of 2023.

EU Law Update And International Data Transfers

The EU has now formally accepted a new privacy scheme for the transfer of data to the US, the new Data Privacy Framework (DPF). This will be a relief for EU organisations transferring personal data to the US, and a sign of hope for UK organisations doing so.

What is the DPF?

The DPF is in effect a scheme run by the US, setting out a number of data protection standards and mechanisms, within which a signatory organisation will need to operate. Following the Commission decision approving the DPF, the EU has accepted that any transfers to a US organisation which is a signatory to the DPF are now transfers to an adequate jurisdiction.

In particular, the DPF sets out a number of rights of challenge for EU citizens whose data is transferred to the US, and relies on a recent Executive Order by President Biden which sets out enhanced restrictions on US intelligence authorities in processing personal data (whether about EU citizens or otherwise).

The lack of right of challenge or restrictions on US intelligence authorities have been the issue for the DPF’s predecessors, Safe Harbor and Privacy Shield. Safe Harbor was struck down in 2015 due to the lack of controls on US public authorities; Privacy Shield was struck down in 2020 for similar reasons, both times due to cases brought before the European Court of Justice by the Austrian privacy activist, Max Schrems. Schrems has already indicated he intends to challenge the DPF, with any challenge likely to be commenced within months of the DPF coming into force.

UK Consequences

For now, this does not change matters for UK organisations, whose transfers are still subject to the safeguard requirements in Chapter V of the UK GDPR (SCCs and BCRs plus transfer risk assessments). However, the UK and US announced in June that they have reached a ‘commitment in principle’ to adopt an extension to the DPF, which would in effect extend a UK-US “data bridge” that would reflect the EU-US DPF. This would enable UK-US data flows to benefit from a similar adequacy decision, while also allowing the UK’s data protection regime to stay sufficiently robust to not endanger EU-UK data flows. Initial indications suggest that the US adequacy decision may be due to arrive during September 2023.

As Data Matters went to press the UK government published a Notice confirming that the Secretary of State had laid adequacy regulations in Parliament establishing the data bridge thereby enabling UK businesses and organisations to be able to transfer personal data to the US to organisations certified under the DPF once the regulations come into force from the 12 October 2023. The government has published a suite of documents including the regulations, its analysis of the UK extension to the DPF and the ICO’s opinion at the following link: UK-US data bridge: supporting documents - GOV.UK (www.gov.uk)

If you have any questions about the issues raised in this update, please contact a member of our Information Law team.