BBC News recently highlighted a stark example of a failure to protect sensitive data. The DVLA sent a letter about a driving licence to “multiple sclerosis Caron Garrod”. Ms Garrod was justifiably offended by the insensitive title and horrified that her medical condition had been divulged through the postal system.
The DVLA has apologised and promised an urgent inquiry. Our amateur sleuths wonder if someone used auto-replace to change MS to multiple sclerosis – but the unintended consequence was that Ms Garrod became multiple sclerosis Garrod.
Something had obviously gone awry at the DVLA and the disclosure was clearly unintentional. However, a simple administrative error like this can have grave ramifications. Under the Data Protection Act 1988 (DPA), medical information is classed as “sensitive personal data” and organisations that hold such data have a duty to protect it. There are strict rules under the DPA about its processing and security. Those rules will become even stricter in May, when the General Data Protection Regulations (GDPR) replace the DPA.
The way society generates and handles data has changed immeasurably since the DPA was drafted in 1988. The GDPR is the biggest change to data protection in 20 years and will bring the law up to date. The core themes under the new regime will be the same, but there are new obligations that organisations which handle personal data, including medical information, will need to be aware of and prepare for.
If Ms Garrod’s letter had been sent after the GDPR came into force, the DVLA would have had to report itself to the Information Commissioner’s Office. It will become mandatory to report a personal data breach within 72 hours to the supervising authority. The GDPR defines a personal data breach as: “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Any breach which is likely to result in a risk to the rights and freedoms of individuals must be reported. The report must describe the nature of the breach and detail those affected, the likely consequences and the measures taken to address or mitigate the effects. Accidental disclosure of personal data, as happened here, will amount to a breach.
An organisation that fails to report runs the risk of a significant penalty. An administrative fine can be imposed of up to 10 million Euros, or 2 per cent of worldwide annual turnover, whichever is higher. An administrative error that leads to an accidental disclosure could have dire financial consequences, particularly for smaller organisations.
If your business or organisation handles personal data (and almost all do), the GDPR will apply to you. Organisations that handle sensitive medical information need to be especially diligent. It is vital that you make sure you are fully aware of the guidelines your organisation should follow, in order to be compliant with the new regulations, in advance of their arrival.
Graeme Watson is a partner at Clyde & Co.