Why are public authorities being reprimanded by the ICO?
There is a simple explanation as to why the ICO has issued so many reprimands to public authorities in recent times.
In June 2022, the Information Commissioner’s Office (ICO) set out a revised approach to working more effectively with public authorities. The revised approach gave the Commissioner discretion to reduce the impact of fines on the public sector. The revised approach included undertakings to publicise lessons learned and to share good practise.
As a result of the revision, the ICO issued a reduced fine of £78,400 (a reduction of 90%) to Tavistock and Portman NHS Foundation Trust (TPHFT). The TPHFT was fined for disclosing 1,781 email addresses belonging to adult gender identity patients, which subsequently appeared as a screenshot on social media.
Following the TPHFT fine, the ICO has tended to increase use of its wider powers to issue warnings, reprimands and enforcement notices.
At the time, John Edwards, UK Information Commissioner, said: “I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives.”
Email ‘carbon copy’ errors in top ten breach category
Though the ICO is issuing fewer fines to public authorities, there have been several reprimands issued in 2023.
In March 2023, the ICO issued a reprimand to NHS Highland for a “serious breach of trust” after a data breach involving those likely to be accessing HIV services. The ICO called for serious improvements to data protection safeguards among HIV service providers, and stated that “the stakes are just too high” given the impact on people’s lives.
The breach involved 37 people likely to be accessing HIV services being emailed using CC (carbon copy) instead of BCC (blind carbon copy). A reprimand was issued instead of a £35,000 fine.
According to ICO data, failure to use BCC ranks consistently in the top 10 non-cyber breaches, with nearly a thousand reported instances since 2019.
Human error and poor judgement blight data privacy
While, according to the ICO, human error is among the leading causes of privacy breaches, error in judgement also contributes to breaches.
In August 2023, NHS Lanarkshire was reprimanded after it was discovered that staff shared patient information via WhatsApp between April 2020 and April 2022. 26 staff at the NHS Trust had access to a WhatsApp group where patient data was entered on more than 500 occasions. The data included names, phone numbers and addresses, as well as images, videos and screenshots containing clinical information.
The ICO’s conclusion suggests that the breach resulted from the lack of an appropriate Trust policy, which meant that a specific group was not supported to follow such a policy.
The fact that the WhatsApp data breach took place during the COVID-19 pandemic, when staff were trying to find communication work-arounds to cope with unprecedented disruption, did not prevent ICO censure.
Prison no excuse for poor data protection
Data privacy breaches frequently result from oversights when people are working with digital media. However, poor practice when handling physical items can lead to careless data breaches.
In May 2023, the ICO issued a reprimand to the Ministry of Justice after confidential personal information had been left in a prison holding area.
Confidential waste documents were left in an unsecured prison holding area. Prisoners and staff had access to 14 bags of confidential documents, which included medical and security vetting details.
Staff challenged prisoners who were openly reading the documents, but did nothing further to ensure that the personal information was secured.
The ICO investigation uncovered a lack of robust policies at the prison. Shortcomings identified included: no pre-agreed, secure areas for confidential waste; lack of staff awareness regarding the need to shred information; and a general lack of staff understanding about the risks to personal data and the need to report data breaches.
The ICO concluded: “Everyone has the right to expect their personal details will be kept secure and this includes in a prison environment, where exposure of personal information could potentially have serious consequences.”
Government bodies guilty of communication errors
Most of us can recall a time when we have sent an email to the wrong person. With luck, in most cases the recipient is tolerant and the error results in nothing more than mild embarrassment.
However, in 2023, the frequency with which the same error results in a serious data breach and an ICO reprimand is alarmingly high.
In Northern Ireland, the Patient and Client Council (PCC), an independent body that oversees health and social care issues, and the Executive Office (EO), the department that oversees the running of the government, both disclosed recipient details illegally by using inappropriate group email options.
The ICO reprimanded the PCC for sending an email to 15 people who had experienced living with gender dysphoria, using the CC, rather than the BCC option. The ICO also reprimanded Northern Ireland’s Executive Office for sending an e-newsletter concerning the Historical Institutional Abuse Inquiry to 251 subscribers and failing to mask the “to” field.
Reprimands highlight a need for privacy enabling technology
Facit Data Systems recently published an article on the need for all organisations to put in place privacy policies and staff data protection training.
ICO reprimands in 2023 continue to highlight the need for every organisation to have robust privacy policies in place, and to train staff to be able to understand the purpose of policies.
Another major take-away from the swathe of ICO reprimands in 2023 is the urgent need to implement enabling privacy technology to eliminate human error. There are simple remedies to prevent multiple recipients being sent sensitive information that places people at risk. Databases should have rules applied to prevent re-occurring errors.
With regard to documents and video footage that contain personal data, there are simple, automated tools to remove or redact information that continues to lead to data breaches.