New data strategy introduced in the UK

New data strategy introduced in the UK to drive innovation and improve efficiency in the health sector. 

 

The UK recently announced a new data strategy for health data, which focuses on 7 principles to harness the data-driven power and innovation exhibited during the pandemic, and use it to improve the future of healthcare. These principles will be implemented to drive transformation in health care, and create a secure system for both patients and professionals, which prioritizes privacy. The principles set out in the data strategy include improving trust in the health care system’s use of data, giving health care professionals the information they need to provide the best care, improving data for adult social care, supporting local decision-makers with data, empowering researchers with the data they need to develop life-changing treatments and diagnostics, and working with partners to develop innovations that improve health care by developing the right technical infrastructure.

 

Secure data environments will be made the default for the health sector, and de-identified data will be used to perform research. 

 

In order to give patients the confidence that their personal information is safe, the NHS will make secure data environments the default, and adult social care organisations will provide access to de-identified data for research. As a result, data linked to a single individual will never leave a secure server, and de-identified will only be used for research purposes. This is expected to enable the delivery of cutting-edge life-saving treatments and quicker diagnosis through clinical trials, as well as more diverse and inclusive research to tackle health inequalities. The public will be consulted on a new ‘data pact’, which will set out how the healthcare system will use patient data and what the public has the right to expect from it. 

 

The new data strategy aims to digitize and improve several processes, providing ease to both patients and healthcare providers. 

 

The new data strategy introduced in the UK will also include some key commitments to patients, giving them greater access to and control over their data. This will incorporate the simplification of the opt-out process for data sharing and improved access to records via the NHS App. The strategy also commits to a target of 75% of the adult population to be registered to use the NHS App by March 2024, making it a one stop shop for health needs. This new data strategy aims to have at least 80% of social care providers to have a digitised care record in place by March 2024. 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Medical data breach leads to major fine from CNIL

Earlier this month, the CNIL imposed a fine of €1.5 million after a medical data breach affecting nearly 500,000 people revealed a company’s security flaws.

 

Early last year, a major data breach affecting nearly 500,000 people was reported. The breach involved information including users’ surnames, first names , social security numbers, names of their prescribing doctors, dates of their examinations, and most critically medical information on conditions (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data). In February 2021, the CNIL carried out several inquiries into the company DEDALUS BIOLOGY, a software company, which supports medical analysis laboratories. Based on the findings, CNIL concluded that the company had breached several obligations under the GDPR, in particular the obligation to ensure the security of personal data. The CNIL decided to impose a fine of 1.5 million euros and to make this decision public. The amount of this fine was decided based on the seriousness of the violations, but also considered the turnover of the company.

 

CNIL sanctioned the software company for violating several GDPR obligations following the medical data breach.

 

Two companies requested the services of DEDALUS BIOLOGY for the migration from software to another tool. In this case, the company extracted a larger volume of data than was required to perform this task. The company has therefore processed data beyond the instructions given by the data controllers.

This breach of the obligation for the processor to comply with the instructions of the controller is a violation of article 29 of the GDPR. CNIL also fined the company over a breach of the obligation to regulate their processing by a formalized legal act as the maintenance contracts transmitted to CNIL by DEDALUS did not contain the information provided for by article 28-3 of the GDPR which stated that data processing “…shall be governed by a contract or other legal act under Union or Member State law…”

 

During its investigation, CNIL also encountered several technical and organizational faults in terms of security within DEDALUS BIOLOGY with regard to the operations of migrating the software to another. These included the lack of a specific procedure for data migration operations, the lack of encryption of personal data stored on a problematic server, as well as  the absence of automatic deletion of data after migration to the other software. In addition the company’s systems lacked the authentication required from the Internet to access the public area of ​​the server and had user accounts shared between several employees on the private area of the server. DEDALUS also lacked a supervision procedure and security alert escalation on the server. This lack of satisfactory security measures contributed to the data breach which compromised the medical and administrative data of nearly 500,000 people and violated  Article 32 of the GDPR. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

UK Online Safety Bill: changes made to combat fraud and scams

The government has recently made changes to the UK Online Safety Bill to combat fraud and scams. 

 

The UK government recently announced changes to its online safety bill. These changes target several facets of online advertising including social media advertising, with the aim of boosting people’s trust and confidence in being online, by improving protection for internet users against fake ads or other potential scams. Platforms like social media sites and search engines will be required to eliminate fraudsters and scammers on their platforms. In addition, social media influencers could face harsher penalties for failing to declare paid advertising when promoting products. Meanwhile, the government has launched a public consultation on its Online Advertising Program (OAP) as well as on wider reform of online advertising regulations. 

 

The changes made to the UK Online Safety Bill will require social media platforms and search engines to do their part in combating cyber scams.

 

This major legislative change seeks to keep up to pace with major changes in the online world. As online criminals become more sophisticated in ripping off internet users, the UK government is making efforts to curb these issues. The new UK Online Safety Bill includes a legal duty for social media platforms and search engines to prevent fraudulent paid ads from showing up on their platforms. Security Minister Damian Hinds said “The changes that we are announcing today mean that online and social media companies will have to acknowledge these issues and take robust action to combat the scourge of online fraud, and take more responsibility to protect their users from this high-harm crime. Innocent victims must not be taken advantage of and conned online by fraudsters.” These companies will now be required to put in place proportionate systems and processes to prevent (or to minimise in the case of search engines) the publishing and/or hosting of fraudulent advertising on their platforms and remove them when they are discovered.

 

The UK government has also launched a consultation for its Online Advertising Programme (OAP).

 

A twelve week consultation for the Online Advertising Program started in the UK on March 9th, 2022. This program will examine the current regulations, as well as determining whether the current regulators are adequately empowered and funded. The current system is mainly one of self-regulation, overseen by the Advertising Standards Authority (ASA), however with the rate at which technology has been developing, the scale and complexity of online advertising has morphed into something far more intricate. This program seeks to consider the whole supply chain and what could be done by those within it to combat harmful advertising. In addition it seeks to strengthen the current self-regulation approach or create a new statutory regulator including things such as mandatory codes of conduct, and increased scrutiny throughout the supply chain. This, coupled with the already existing initiatives, like the National Cyber Security Centre aim to continue the fight against online fraud. 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today. 

DATA PROTECTION AND GDPR

DATA PROTECTION AND GDPR: LESSONS LEARNED FROM 2021

The data protection industry is constantly evolving as the GDPR is implemented by organisations and enforced by the Data Protection Authorities. 

 

New year, new beginnings? That is not always the case, at least definitively not when the previous year has provided valuable insights for the upcoming one. Considering that the GDPR has been in application since 2018, it is still a relatively new piece of legislation about which stakeholders are still learning, including organisations, Data Protection Authorities (DPAs) and the broader society. This is the reason why we need to take a close look to any development in the industry, as it may be determining for the future of data protection. In this post we go through the main takeaways of 2021.

Schrems II and new SCCs

After Schrems II and the caveats that the CJEU added to the use of SCCs, the EU Commission adopted a new set of SCCs for the transfer of personal data to third countries in June 2021 as we informed in Aphaia’s blog. These new SCCs brought practicality and flexibility through a modular approach which makes them suitable for any type of data transfer, regardless of the role taken by the controller or the processor as the data exporter or the data importer. The new SCCs also include a toolbox and some supplementary measures aimed at helping controllers and processors to make safe international data transfers, built on the need for performing a Data Transfer Impact Assessment which the parties can use to identify the risks of the transfer and their ability to comply with the clauses. 

It should be noted that the ICO has not pronounced about the new SCCs yet. The ICO is planning to produce its own SCCs for restricted transfers made from the UK.

Other updates

Together with the new SCCs for international data transfers, the EU Commission also published a set of SCCs covering Article 28 GDPR requirements. However, unlike SCCs for international data transfers, these are not mandatory and controllers and processors can still use their own terms in data processing agreements.  

Not new in 2021 but still work in progress over the year, we find the rules on cookies and the concept of joint controllership. Many organisations are still updating their cookie banners to include toggles or checkboxes for each not strictly necessary cookie. Cookies are also relevant in terms of data protection roles as, as any other joint personal data processing, if there are two or more parties involved, they may trigger joint controllership as a result of converging decisions.

GDPR enforcement

The impact of the work carried out by the DPAs is not clear at this stage. First because the GDPR has only been around since 2018 and we all are still learning, secondly because GDPR investigations are lengthy and consume a lot of time, running into several months, and thirdly because each DPA has its own criteria beyond Article 83 GDPR. For example, Portugal’s GDPR national implementation legislation places a 3 year moratorium on administrative fines to public bodies. On the other hand, in Spain no fines can be imposed on the public sector. Aligned actions and criteria would help to enhance the consistency mechanism, contributing to the consistent application of the GDPR throughout the EU.  

The role of the DPAs may also change in the upcoming years as new pieces of legislation enter into force, such as the EU AI Regulation Proposal.

The regulatory fines

Regarding fines, it should be noted that the GDPR fines have ramped up significantly in recent months, although it should be taken into account that not only the amount of the fine is important when it comes to infringements, but also the cost that the process implies for the organisations involved and the damage to the corporate reputation. 

 

I had the chance to discuss this with JC Gaillard from Corix Partners in their Cyber Security Transformation Podcast. You can access it [here].

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today