Healthcare Committee Data Breach

Healthcare Committee Data Breach in Örebro County, Sweden.

Healthcare Committee Data Breach in Örebro County, Sweden after sensitive personal data of a patient was published on the region’s website.

 

A healthcare committee data breach was uncovered after complaints were filed with the Swedish Data Protection Authority (DPA), concerning the publication of a patient’s personal data on the region’s website. According to an article by the European Data Protection Board, the complaints were concerning a patient admitted to forensic psychiatry whose personal details were found, through an audit, to have been published on the region’s website. The Swedish DPA found that the region’s website published sensitive data wrongfully, with neither legitimate purpose nor legal basis, nor eligibility for exemption from the proscription of handling sensitive personal data under the General Data Protection Regulation (GDPR). As a result, the DPA has fined the Committee and ordered some changes to ensure compliance moving forward.

 

Swedish DPA audit uncovers lack of written instructions for publishing, increasing risk of a data breach.

 

The Swedish DPA performed an audit after receiving a complaint about the data breach in question and discovered that there were no written instructions in place for the publication of information on the Committee’s website. The Committee had depended solely on oral communication for passing on instructions for publication. The publication of this patient’s personal data was the result of those instructions not being followed. While it was accidental, the publication of that personal data was the result of insufficient organisational measures to ensure protection of personal data.

 

Healthcare Committee Data Breach results in a fine of 120,000 Swedish kronor and an order for corrective action. 

 

The Swedish DPA has ordered the Committee to establish written instructions and to institute measures to ensure compliance with those instructions for those who are tasked with publishing data on their website. In addition to ordering the Committee to bring its handling of personal data into full compliance under the GDPR, the DPA has also ordered the payment of a 120,000 Swedish kronor administrative fine (approximately 11,000 Euro). The published document resulting in the data breach has since been removed from the region’s website. 

 

What should have the Healthcare Committee done in order to avoid the breach?

 

-Have in place an adequate internal data protection policy providing written and clear instructions about how to process and secure the personal data held by the Committee. 

Pursuant to Article 24 GDPR “(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary; (2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller”.

-Deliver relevant training to the employees. When it comes to reducing the risk of data breaches, it is paramount to train the staff so that they understand the new processes you have put in place and also the data protection rules behind them.

Why are the measures above especially important in this case?

The data compromised involves health information, which is a special category of personal data, therefore additional safeguards should apply, plus the bases for processing it are limited to some specific scenarios. However, it should be noted that the breach would have taken place even if the personal data published in their website was not sensitive, because there was no legitimate basis to make the information public.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EasyJet Customers Hacked

Approximately Nine Million EasyJet Customers Hacked

EasyJet reveals that some nine million of its customers have been affected by a “highly sophisticated cyber-attack” 

 

Nine million EasyJet customers have been hacked according to  a recent BBC news article. In January this year EasyJet became aware of a cyber attack which had affected millions of its customers and  is now, based on the advice of the ICO—coming public in order to minimize potential phishing attempts. So far it has been noted that email addresses and travel details have been stolen and that 2,208 customers also had their credit card details accessed.

 

Although investigations are still underway, EasyJet reportedly told the BBC that it was only able to notify customers whose credit card details were stolen in early April.

 

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted. We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.” The BBC article quotes EasyJet. 

 

At present, EasyJet has found no evidence that any personal information has been misused, although the ICO is investigating the breach and may take action accordingly. One should note that, regardless how the attackers use the personal data compromised in a breach, the risk to the rights and freedoms of the data subjects involved plays a key role when assessing the consequences of the incident and deciding the measures that should be implemented

 

What should be the response from EasyJet upon the breach?

 

The steps that should be taken upon a breach with the aim of reducing the impact of the potential harm are the following: 

  • Apply any necessary measures to contain the breach where possible.
  • Inform the DPO.
  • Assess the risk of the breach and identify relevant elements such as categories of data and data subjects affected plus remedial actions considered or taken.
  • Report the incident if necessary:
    • The ICO should have been notified within 72 hours after having become aware of the breach, unless it was unlikely to result in a risk to the rights and freedoms of natural persons.
    • The customers should be notified unless EasyJet has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise. This is not the case because travel and credit cards details were involved, which may comprise sensitive data and address to further attacks such as phising. For example, under the current global health emergency, travel details may involve information about the customer testing positive for COVID-19.
  • Evaluate the response and recovery to prevent future breaches.

 

It should also be noted that the reason why most data breaches take place is human error, therefore providing training to the employees is paramount.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EDPB on Health Data

EDPB adopts Guidelines on the Processing of Health Data for Scientific Research Purposes during COVID-19

In the middle of the COVID-19 outbreak, the EDPB adopted Guidelines on the processing of health data for scientific research purposes to clarify some legal questions.

Considering that life may not return to normal until a COVID-19 vaccine becomes widely available, researchers from across the globe are focusing their efforts on producing results as soon as possible. In this context, questions regarding the application of the GDPR keep arising, therefore the European Data Protection Board (EDPB) has released guidelines on the processing of health data for scientific research purposes with the aim of providing basic guidance.

What is “health data”?

Article 4 (15) GDPR defines “data concerning health” as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. This meaning also covers the following:

  • Information that becomes health data by cross referencing with other data thus revealing the state of health or health risks, such as the assumption of a person being at high risk for severe illness from COVID-19 because of his medical conditions.
  • Information that becomes health data because of its usage in a specific context, such as information regarding a recent trip to a region affected with COVID-19.

The EDPB points out that “processing for the purpose of scientific research” should be interpreted in a broad manner in line with Recital 159 GDPR.

What is the legal basis for the processing?

According to the GDPR, processing of special categories of personal data is only allowed in some scenarios. The ones that may be more relevant when it comes to the processing of health data for scientific research purposes during COVID-19 pandemic are the following:

  • The data subject has given explicit consent.
  • Processing relates to personal data which are manifestly made public by the data subject.
  • Processing is necessary for the purposes of preventive or occupational medicine.
  • Processing is necessary for reasons of public interest in the area of public health.
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes based on Union or Member State law.

It should be noted also that “further processing for […] scientific research purposes […] shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes”, subject to appropriate safeguards.

Should the data subject be informed?

Pursuant to Articles 13 and 14 GDPR, the data subjects should be informed at the time when personal data is gathered, or “within a reasonable period after obtaining the personal data, but at the latest within one month” where it is not collected from the data subject.

However, considering that it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection, the EDPB recommends to deliver the information to the data subject within a reasonable period of time before the implementation of the new research project. 

There are four exemptions of the information obligation though:

  • The data subject already has the information.
  • The provision of such information proves impossible, would involve a disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing. A controller seeking to rely on this exemption should demonstrate the factors that actually prevent it from providing the information to the data subjects or carry out a balancing exercise to assess the effort involved against the potential impact and effects of not providing the information.
  • Obtaining or disclosure is expressly laid down by Union or Member State law. This exemption is conditional upon the law in question providing “appropriate measures to protect the data subject’s legitimate interests”.
  • The personal data must remain confidential subject to an obligation of professional secrecy.

What other measures should be taken?

In light of the data minimisation principle, the EDPB deems essential to specify the research questions and assess the type and amount of data necessary to properly answer them before proceeding. Additionally, the data should be anonymised where possible.

Proportionate storage periods shall be set as well, taking into account criteria such as the length and the purpose of the research.

As for the security measures that should be implemented, together with pseudonymisation, encryption, non-disclosure agreements and strict access role distribution, the EDPS stresses that a data protection impact assessment should be carried out when such processing is “likely to result in a high risk to the rights and freedoms of natural persons”, and remarks the importance of data protection officers as a key role that should be involved in the process.

What about the exercise of data subjects’ rights?

Together with the information obligation exemptions addressed above, Article 17 (3) (d) states that the right to erasure “shall not apply to the extent that processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing”.

It has to be noted that, in the light of the jurisprudence of the CJEU, all restrictions of the rights of data subjects must apply only in so far as it is strictly necessary.

Are international data transfers allowed?

In the absence of an adequacy decision pursuant to Article 45 (3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, Article 49 GDPR envisages certain specific situations under which transfers of personal data can take place as an exception, such as:

  • The data subject has explicitly consented to the proposed transfer.
  • The transfer is necessary for important reasons of public interest. 

It should be noted, however, that repetitive transfers of data to third countries, part of a long lasting research project in this regard, would need to be framed with appropriate safeguards in accordance with Article 46 GDPR.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

And if you want to be updated about COVID-19 and AI, don’t forget to subscribe to our YouTube channel.

Dutch DPA Imposed a Fine

The Dutch DPA Imposed a Fine on the Dutch Tennis Association under the GDPR for Illegally Selling Personal Data for marketing purposes.

The Dutch DPA Imposed a fine on the Dutch Tennis Association (The KNLTB) of EUR 525,000, for the unlawful sale of personal data of its members to two sponsors.

 

The Dutch DPA recently imposed a fine on the Dutch Tennis Association (KNLTB) under the GDPR, for the illegal sale of their members’ information to two of its sponsors. The information shared included personal data such as their names, addresses and genders. This information was then used by the two sponsors, to market offers to these individuals by both phone, and the post. One sponsor purchased the information of 50,000 members, while the other sponsor purchased the data of over 300,000 members. While the KNLTB argued that it had legitimate interest in selling its members data, the Dutch DPA does not agree and believes that financial gain was the basis of the KNLBT’s decision to infringe on the basic rights of its members under the GDPR, by selling their data. 

 

Previous Fines by the Dutch DPA.

 

The Dutch DPA had, prior to this most recent fine on the Dutch Tennis Association, imposed two fines under the GDPR. The first of which was ruled against the Dutch UWV (Employee Insurance Agency) in 2018. As a result of the fine the UWV was required to improve its logging security level by October 2019, however this has now been postponed by a year, which could carry a fine of EUR 150,000 per month, up to a total of EUR 900,000. The second fine, imposed on the Dutch Haga Hospital, was because of the insufficiency of their internal security of patient records, resulting in approximately 200 employees having unauthorized access to medical records of a Dutch celebrity, and this person’s private, personal information being leaked to the press. For this, the Dutch DPA imposed a fine of EUR 460,000.

 

On another note, the DPA has launched an investigation in the past into Facebook’s failure to adequately inform users that their data was being used for targeted advertising. This did not result in a fine, but did inspire a change in Facebook’s personal data policy. 

 

The Dutch DPA’s Policies for Determining Administrative Fines. 

 

In an effort to maintain consistency in the fines it imposes, the Dutch DPA has specific policies for determining the level of these administrative fines. Infringements are divided into categories, determined by the relative GDPR article. As reported by the INPLP in their article, the fines imposed based on this policy can be increased or reduced, depending on the following relevant factors: 

 

  • The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of persons affected and the extent of the damage suffered by them.
  • The deliberate or careless nature of the infringement.
  • The measures taken by the controller or the processor to limit the damage to the data subjects involved.
  • The extent to which the controller or the processor is responsible, considering the technical and organizational measures that had to be taken under articles 25 and 32 of the GDPR. 
  • Previous infringements, where relevant, by the controller or the processor.
  • The level of cooperation with the Dutch DPA to remedy the infringement and reduce the possible, negative consequences of it.
  • The categories of personal data affected by the infringement.
  • The manner in which the Dutch DPA has been notified of the infringement and whether the controller or the processor has reported the infringement.
  • In how far the controller or the processor has complied with any previous measures imposed by the Dutch DPA, as referred to in article 58 (2) of the GDPR.
  • Compliance with approved codes of conduct in accordance with article 40 of the GDPR or with approved certification mechanisms referred to in article 42 of the GDPR.
  • Any other circumstances that may be regarded as aggravating or mitigating factors, such as financial gains realised, or losses avoided, whether or not directly arising from the infringement.

 

Their general guide for imposing fines it’s based on the following categories, as determined by the corresponding GDPR infringement:

 

Category Range of Fines  Standard Fine
I €0 to €200,000 €100,000
II €120,000-€500,000 €250,000
III €300,000-€750,000 €525,000
IV €450,000-€1,000,000 €725,000

 

The fine imposed on the Dutch Tennis Association, KNTLB, was based on a category III infringement and therefore incurred the basic fine for that category; €525,000. So far this year, we reported on two fines issued by the Italian DPA (Garante) on TIM Spa ,and Eni Gas E Luce, for Euro 27.8 million and 11.5 million respectively, and more recently, on CRDNN Ltd, of half a million pounds, by the UK’s DPA, the ICO. 

 

With officials cracking down on companies which mismanage their data, it is imperative that companies ensure that they are in line with the GDPR, PECR 2003, and the DPA 2018. While this is only the third fine being imposed by the Dutch DPA under the GDPR, the Dutch DPA is the first in the EU to define its own policy for imposing fines, which may inspire other countries to do the same. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.