Section 2 of the Data Protection Act 1998 stipulates that information concerning a person’s health (mental or physical) is sensitive personal data. This means that a person’s health information attracts a higher level of protection under the Data Protection Act 1998; the damage and distress that can result from the inappropriate disclosure or processing of a person’s health information can be significant. People can experience bullying, harassment and/or discrimination as a consequence of mental or physical health conditions. Some health conditions, mental or physical, can attract far more discrimination than others do. HIV is, sadly, a health condition that still attracts a certain amount of discrimination and prejudice in the UK today. With that in mind, an NHS Trust sending out its E-mail newsletter to users of its HIV sexual health services, with all of the recipients E-mail addresses visible to every other recipient, is likely to result in the said NHS Trust being in more than a bit of bother with the Information Commissioner’s Office. That’s exactly what happened to one NHS Trust in London.
The Information Commissioner has served a Monetary Penalty Notice in the amount of £180,000 on Chelsea and Westminster Hospital NHS Foundation Trust after a member of staff E-mailed out a Newsletter to users of 56 Dean Street with all 781 recipient’s E-mail addresses being visible to all of the recipients.
56 Dean Street is a Soho based sexual health clinic which provides sexual health services to patients, including patients who are HIV positive. The clinic had developed a service whereby patients with HIV were able to receive results and to make appointments and enquiries online. They, together with a small number of patients who were not HIV positive, received newsletters from the clinic. Some of the E-mail addresses included the full name of the patient whose E-mail address it was. In September 2015, a member of staff sending out one of the clinic’s newsletters sent the E-mail with all of the recipient’s E-mail addresses in the “to” field, rather than the “bcc” field. This meant that each recipient was able to see the E-mail addresses of all other recipients.
This was not the first time that a member of the Trust’s staff had done this in respect of E-mail addresses of HIV Patients. The Monetary Penalty Notice served on the Trust records a similar incident that occurred in March 2010. In that incident, a Pharmacist sent out a questionnaire to 17 patients receiving treatment for HIV about their treatment. The E-mail addresses of all recipients were included in the “to” field, rather than the ‘bcc’ field; meaning that they were visible to all recipients. The Monetary Penalty Notice records that remedial steps were put into place by the Trust following that breach, it doesn’t state what they were; however, it does record that there was no training given to staff to remind them to check the group E-mail addresses were being placed in the correct field, nor had they replaced the E-mail account being used with one that would enable separate E-mails to be sent to each address on the mailing list.
The Monetary Penalty Notice records that subscribers were not told that their E-mail addresses would be used to send Newsletters to other patients by way of a bulk E-mail and also notes that one of the subscribers should have been removed from the list following their relocation to Essex.
The Commissioner found that the Trust had breached the seventh Data Protection Principle, which relates to having appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of personal data as well as against the accidental loss or destruction of, or damage to, personal data. The Commissioner considered that the Trust had failed to comply with the seventh data protection principle by not using an E-mail account that enabled separate E-mails to be sent to each recipient, and also by failing to provide adequate training to staff to ensure that E-mail addresses were being placed in the correct field.
The Commissioner was satisfied that the Trust was responsible for the breach. The Commissioner was also satisfied that the Trust had not intended to breach the seventh data protection principle. However, the Commissioner was satisfied that the breach that had occurred was reasonably foreseeable and that the Trust should have therefore taken steps to prevent the breach from occurring.
Once again a breach of the seventh Data Protection Principle has resulted in enforcement action being taken by the Information Commissioner. The Information Commissioner’s enforcement action in respect of Data Protection breaches has almost exclusively centred on breaches of the seventh Data Protection Principle. Each time enforcement action is taken it carries with it national publicity. Therefore, Data Controllers ought to be well aware that failures to have in place adequate internal processes and security measures to protect personal data, especially where that Data Controller is also a public authority, are extremely likely to result in enforcement action being taken by the Information Commissioner – and that is aside from the reputational damage that inevitably comes with security breaches around personal data.
It is important that Data Controllers ensure that they have in place adequate policies and procedures as well as software and other technical measures (such as password protection and encryption) to protect against all reasonably foreseeable data breaches. That requires organisations to review the personal data that they hold, together with the ways in which they process that personal data, to identify vulnerabilities in respect of the security of personal data that they hold. The results of getting it wrong can be substantial, both financially and reputational.
The current maximum financial penalty available to the Information Commissioner is capped at £500,000; however, when the new Data Protection regulation enters into force in May 2018 (subject to the results of the EU referendum next month) the maximum financial penalty for such breaches will increase to 4% of net global turnover of €20 million and so the financial consequences of getting it wrong could be even greater in two years time than what they currently are.
When a Data Controller processes personal data they are being trusted with that data by the Data Subject. Some Data Controllers are entrusted with some of the most sensitive personal data about an individual, perhaps things that only a few other trusted people know; that level of trust can be huge. It’s not the sort of information that should just be left lying around; it needs to be kept safely and securely and be processed in a way that is appropriate for its nature; especially when the information in question is (rightly) defined as sensitive personal data.