Healthcare Committee Data Breach

Healthcare Committee Data Breach in Örebro County, Sweden.

Healthcare Committee Data Breach in Örebro County, Sweden after sensitive personal data of a patient was published on the region’s website.

 

A healthcare committee data breach was uncovered after complaints were filed with the Swedish Data Protection Authority (DPA), concerning the publication of a patient’s personal data on the region’s website. According to an article by the European Data Protection Board, the complaints were concerning a patient admitted to forensic psychiatry whose personal details were found, through an audit, to have been published on the region’s website. The Swedish DPA found that the region’s website published sensitive data wrongfully, with neither legitimate purpose nor legal basis, nor eligibility for exemption from the proscription of handling sensitive personal data under the General Data Protection Regulation (GDPR). As a result, the DPA has fined the Committee and ordered some changes to ensure compliance moving forward.

 

Swedish DPA audit uncovers lack of written instructions for publishing, increasing risk of a data breach.

 

The Swedish DPA performed an audit after receiving a complaint about the data breach in question and discovered that there were no written instructions in place for the publication of information on the Committee’s website. The Committee had depended solely on oral communication for passing on instructions for publication. The publication of this patient’s personal data was the result of those instructions not being followed. While it was accidental, the publication of that personal data was the result of insufficient organisational measures to ensure protection of personal data.

 

Healthcare Committee Data Breach results in a fine of 120,000 Swedish kronor and an order for corrective action. 

 

The Swedish DPA has ordered the Committee to establish written instructions and to institute measures to ensure compliance with those instructions for those who are tasked with publishing data on their website. In addition to ordering the Committee to bring its handling of personal data into full compliance under the GDPR, the DPA has also ordered the payment of a 120,000 Swedish kronor administrative fine (approximately 11,000 Euro). The published document resulting in the data breach has since been removed from the region’s website. 

 

What should have the Healthcare Committee done in order to avoid the breach?

 

-Have in place an adequate internal data protection policy providing written and clear instructions about how to process and secure the personal data held by the Committee. 

Pursuant to Article 24 GDPR “(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary; (2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller”.

-Deliver relevant training to the employees. When it comes to reducing the risk of data breaches, it is paramount to train the staff so that they understand the new processes you have put in place and also the data protection rules behind them.

Why are the measures above especially important in this case?

The data compromised involves health information, which is a special category of personal data, therefore additional safeguards should apply, plus the bases for processing it are limited to some specific scenarios. However, it should be noted that the breach would have taken place even if the personal data published in their website was not sensitive, because there was no legitimate basis to make the information public.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EasyJet Customers Hacked

Approximately Nine Million EasyJet Customers Hacked

EasyJet reveals that some nine million of its customers have been affected by a “highly sophisticated cyber-attack” 

 

Nine million EasyJet customers have been hacked according to  a recent BBC news article. In January this year EasyJet became aware of a cyber attack which had affected millions of its customers and  is now, based on the advice of the ICO—coming public in order to minimize potential phishing attempts. So far it has been noted that email addresses and travel details have been stolen and that 2,208 customers also had their credit card details accessed.

 

Although investigations are still underway, EasyJet reportedly told the BBC that it was only able to notify customers whose credit card details were stolen in early April.

 

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted. We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.” The BBC article quotes EasyJet. 

 

At present, EasyJet has found no evidence that any personal information has been misused, although the ICO is investigating the breach and may take action accordingly. One should note that, regardless how the attackers use the personal data compromised in a breach, the risk to the rights and freedoms of the data subjects involved plays a key role when assessing the consequences of the incident and deciding the measures that should be implemented

 

What should be the response from EasyJet upon the breach?

 

The steps that should be taken upon a breach with the aim of reducing the impact of the potential harm are the following: 

  • Apply any necessary measures to contain the breach where possible.
  • Inform the DPO.
  • Assess the risk of the breach and identify relevant elements such as categories of data and data subjects affected plus remedial actions considered or taken.
  • Report the incident if necessary:
    • The ICO should have been notified within 72 hours after having become aware of the breach, unless it was unlikely to result in a risk to the rights and freedoms of natural persons.
    • The customers should be notified unless EasyJet has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise. This is not the case because travel and credit cards details were involved, which may comprise sensitive data and address to further attacks such as phising. For example, under the current global health emergency, travel details may involve information about the customer testing positive for COVID-19.
  • Evaluate the response and recovery to prevent future breaches.

 

It should also be noted that the reason why most data breaches take place is human error, therefore providing training to the employees is paramount.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New facial recognition bill

New facial recognition bill passed in Washington state.

New facial recognition bill passed in Washington state, constraining government use of facial recognition. What does the future hold for this technology in Europe and abroad?

 

A new facial recognition bill passed in Washington state recently will require public agencies to frequently report on their use of the technology and have it tested for fairness and accuracy. Law enforcement may use the technology, but must first obtain a warrant, except in cases of emergency. With this new facial recognition bill, any public agencies which use facial recognition technology to make decisions which may have legal repercussions must ensure that the results are tested by a human. This includes any testing that may have ramifications for someone’s ’s job, financial services, housing, insurance, and education.

 

Washington state’s new facial recognition bill also establishes a task force to study the use of facial recognition technology by government agencies. As civil rights groups and researchers claim that facial recognition can amplify human biases, American Civil Liberties Union (ACLU) is calling for a delay on the implementation of facial recognition by both local and federal government agencies. ACLU and MIT conducted studies of Amazon’s facial recognition software (Rekognition), which showed that the technology misidentifies women and people of color, more frequently than it does white men. While Amazon responded saying that the methodology of those studies was flawed, Amazon CEO, Jeff Bezos has deemed facial recognition “a perfect example of where regulation is needed.” Washington state is home to both Microsoft and Amazon, two of the largest US companies developing facial recognition software. Leaders at both companies have urged lawmakers to create new rules for facial recognition technology, which was, for the most part, unregulated.

 

The GDPR gives everyone the right to object to profiling, including biometric profiling like facial recognition, and also requires companies to conduct data protection impact assessments before systematically monitoring a publicly accessible area. Pursuant to Article 35 of the GDPR, “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”. For this reason, the EU has been considering a temporary ban on the use of facial recognition software.

 

Recently, on our vlog, we explored the ramifications of the use of facial recognition in public spaces. You can take a look at it right here, and also subscribe to our Youtube channel for more updates.

 

 

Does your company utilize biometric data such as fingerprinting, voice printing and facial recognition? If yes, failure to adhere fully to the guidelines and rules of the GDPR and Data Protection Act 2018 could result in a hefty financial penalty. Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, EU AI Ethics assessments and Data Protection Officer outsourcing. Contact us today.

 

EDPB GDPR consent guidelines .

EDPB published GDPR consent guidelines

The European Data Protection Board (EDPB) published guidelines on consent under regulation, including a complete analysis of the notion of GDPR consent.

 

The EDPB published guidelines on consent under regulation on May 4th 2020, which includes a complete analysis of GDPR consent. In their 31 page document released earlier this week, the EDPB outlines the requirements for obtaining and demonstrating valid consent. Consent is one of six lawful bases to process personal data, as outlined in Article 6 of the GDPR. Data controllers must consider what would be the appropriate lawful ground for the intended processing of personal data, before initiating any activities which would involve processing such data. 

 

Elements of valid GDPR consent

Article 4(11) of the GDPR specifies that consent of the data subject means “any freely given, specific,  informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” 

 

The use of the term free implies that the data subject has a real choice in the matter. As a general rule, the GDPR states that if the data subject has no real choice, feels compelled to consent or feels they will endure negative consequences in the absence of their consent, then consent will not be valid. Any element of inappropriate pressure or influence upon the data subject which prevents a data subject from exercising their free will, shall render the consent invalid.

 

In order for consent to be valid, it must also be specific, meaning that consent must be given in relation to “one or more specific” purposes and that a data subject has a choice in each of them. . The requirement that consent must be ‘specific’ aims to guarantee a degree of user control and transparency for the data subject. According to Article 6(1)(a) of the GDPR, data subjects must always give consent for a specific, explicit and legitimate processing purpose. 

 

The GDPR also maintains the requirement that consent must be informed. According to Article 5 of the GDPR, transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. It is imperative that data subjects are provided with sufficient information prior to obtaining their consent. In the absence of sufficient information, the consent will be invalid and the controller may be in breach of Article 6 of the GDPR. 

 

The EDPB believes that at least the following information is required for obtaining valid consent:

  1. the controller’s identity,
  2. the purpose of each of the processing operations for which consent is sought,

iii. what (type of) data will be collected and used,

  1. the existence of the right to withdraw consent, 
  2. information about the use of the data for automated decision-making in accordance with

Article 22 (2)(c) where relevant, and

  1. on the possible risks of data transfers due to absence of an adequacy decision and of

appropriate safeguards as described in Article 46.

 

In addition to the aforementioned criteria, consent must always be given through an active motion or declaration. It should be clear that the data subject is consenting to the particular processing. Article 4(11) GDPR clarifies that valid consent requires an unambiguous indication by means of a statement or by a clear affirmative action. Clear affirmative action implies that the data subject  must have taken a deliberate action to consent to the particular processing.

Obtaining explicit GDPR consent

In situations where serious data protection risk presents itself, it is imperative that explicit consent is obtained in order to process personal data. According to Article 9 of the GDPR, explicit content is needed for the processing of special categories of data. The term explicit refers to the manner in which consent is expressed by the data subject. It means that the data subject has to give an express statement of consent, in order for consent to be deemed valid. This can take the form of a signed statement, an electronic form, an email, or a scanned document carrying the signature of the data subject, or an electronic signature. In theory, oral

statements can also sufficiently express valid explicit consent, however, it may be difficult

to prove for the controller that all conditions for valid explicit consent were met when the statement was recorded.

Additional conditions for obtaining valid GDPR consent

According to Article 7 of the GDPR, it is the sole responsibility of the controller to demonstrate a data subject’s consent. Recital 42 states: “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”  controllers may keep records of consent statements received or choose freely the method through which they comply with this provision. The obligation to demonstrate consent last for as long as the data processing activity is being carried out.  While there is no specific time limit in the GDPR for how long consent will last, the EDPB recommends, as a best practice, that consent should be refreshed at appropriate intervals. 

 

As far as withdrawal of consent, the GDPR prescribes that the controller must ensure that consent can be withdrawn by the data subject as easily as it was given, and at any given time. The GDPR does not specify that the giving and withdrawing of consent must be done in the same manner, however, when consent is given electronically, via a simple mouse click, swipe or keystroke, the data subject should be able to withdraw that consent just as easily. This requirement of an easy withdrawal is described as a necessary aspect of valid consent in the GDPR. Controllers also  have an obligation to delete data that was processed on the basis of consent once this consent is withdrawn, provided that there is no other purpose justifying the continued retention. 

 

Examples

 

The guidelines provide some examples for when consent is not valid and when it is. We have put together those ones we consider most relevant below:

 

Own- and third-party marketing unlawfully bundled

“Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there is no separate consents for these two separate purposes, therefore the consent will not be valid. In this case, a specific consent should be collected to send the contact details to commercial partners. Such specific consent will be deemed valid for each partner …, whose identity has been provided to the data subject at the time of the collection of his or her consent, insofar as it is sent to them for the same purpose (in this example: a marketing purpose).”

Service provision and marketing unlawfully bundled

“A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.”

“Based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it”.

Access to mobile phone features unlawfully bundled with the product

“When downloading a lifestyle mobile app, the app asks for consent to access the phone’s accelerometer. This is not necessary for the app to work, but it is useful for the controller who wishes to learn more about the movements and activity levels of its users. When the user later revokes that consent, she finds out that the app now only works to a limited extent. This is an example of detriment as meant in Recital 42, which means that consent was never validly obtained (and thus, the controller needs to delete all personal data about users’ movements collected this way).”

However, if only benefits linked to the consent are lost if consent is refused, it is ok: 

“A data subject subscribes to a fashion retailer’s newsletter with general discounts. The retailer asks the data subject for consent to collect more data on shopping preferences to tailor the
offers to his or her preferences based on shopping history or a questionnaire that is voluntary to fill out. When the data subject later revokes consent, he or she will receive non-personalised fashion discounts again. This does not amount to detriment as only the permissible incentive was lost.”

Furthermore, there is no detriment if an alternative channel to access the product is provided

 

“A fashion magazine offers readers access to buy new make-up products before the official launch. The products will shortly be made available for sale, but readers of this magazine are offered an exclusive preview of these products. In order to enjoy this benefit, people must give their postal address and agree to subscription on the mailing list of the magazine. The postal address is necessary for shipping and the mailing list is used for sending commercial offers for products such as cosmetics or t-shirts year round. The company explains that the data on the mailing list will only be used for sending merchandise and paper advertising by the magazine itself and is not to be shared with any other organisation. In case the reader does not want to disclose their address for this reason, there is no detriment, as the products will be available to them anyway.”

 

A suitable policy should be put in place with regard to children’s consent:

 

“An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps: Step 1: ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent) If the user states that they are under the age of digital consent; Step 2: service informs the child that a parent or guardian needs to consent or authorise the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian;  Step 3: service contacts the parent or guardian and obtains their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility; Step 4: in case of complaints, the platform takes additional steps to verify the age of the subscriber; If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps”.

 

Do you need assistance with the appropriate safeguards that should apply to consent for processing of personal data? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcingContact us today.