Carl Selby, Partner & Head of Tech Sector, RWK Goodman
Data breaches are now headline news. Whether it is Meta (Facebook) being fined €1.2bn or MGM in Las Vegas suffering a ransomware attack, data breaches are in the spotlight like never before.
They are also inevitable; it is very much a case of when, not if, a data breach happens.
A data breach is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. All of the following are data breaches:
- Service user records being accessed by a hacker;
- Ransomware preventing access to service user records;
- Leaving documents containing personal data on a train; and
- Sending an email or post containing personal data to the wrong recipient/address.
However good your systems and processes are, human error and criminals who are one step ahead of security providers mean there will always be a risk of a breach.
Data protection legislation requires controllers who process special category data (including health information about service users) to put in place higher levels of protection, so care providers need to take extra care.
Minimising the risk
If you have to report a breach (or someone complains) the Information Commissioner’s Office (ICO) look at your data protection compliance processes. The ICO does not expect perfection, but they do expect you to demonstrate that you have taken data protection seriously. To do this:
- Keep a record of processing (often called a data map) recording the personal data you collect, how it is processed, the lawful basis on which you process it.
- Tell services users and staff how you process their personal data in a privacy notice and keep it up to date.
- Implement, follow and regularly update your policies (you would be amazed how many clients draft a policy and then do not follow or update it).
- Consider getting cyber insurance that covers the cost of responding to a breach as well as the potential fines and damages.
- Implement appropriate technical and organisational measures to safeguard personal data. Simple steps, such as:
- using strong passwords and multi factor authentication,
- having appropriate firewalls and cybersecurity software,
- keeping (and testing) proper backups,
- encrypting data at rest and in transit;
- implementing policies on securely storing physical documents;
- access controls to limit who can access personal data; and
- patching systems with security updates promptly,
can go a long way.
- Train your staff regularly on their data protection obligations and what to do if a breach (however minor) happens.
- Complete due diligence on third parties who process personal data for you and make sure your contract with them has appropriate data processing clauses.
- Have a plan to respond to a data breach. If a breach is notifiable, you have 72 hours to report it to the ICO; working out what to do will waste valuable time. You should test the plan by simulating a breach to identify areas that can be improved.
The consequences
The ICO can impose fines of up to £17.5m or 4% of worldwide turnover, whichever is higher. But this is not the only risk. Data subjects are making more direct claims arising from data breaches, often through claims management companies. CQC are increasingly taking data protection seriously and the reputational damage may make a prospective service user twice when selecting a care provider.
Given the risks, taking specialist advice to prepare for a breach will help significantly reduce the impact when it happens. Proper preparation really does prevent poor performance (and penalties!).