Following on from the recently reported data breaches by Police Services of Northern Ireland (PSNI) and the Electoral Commission (EC), organisations should take a step back and re-evaluate their compliance with UK data protection law. Whilst data protection remains a hot topic, the rules and guidance are not new concepts. Organisations need to be aware of their obligations in order to prevent and (if the situation unfortunately arises) to mitigate the effects of data breaches.
The recent spate of data breaches
The data breach suffered by PSNI was the result of human error when a spreadsheet containing surnames, initials, ranks, grade, department and work locations of all of its 10,000 officers and civil staff members was published online. The error occurred when a staff member released the spreadsheet in a response to a freedom of information request which was later published online then removed. This is not, however, the only data breach suffered by PSNI in recent times as it is currently investigating a second data breach whereby documents and a laptop were stolen from a private vehicle which included a spreadsheet containing the names of more than 200 serving officers and staff.
While the home addresses of the individuals were not leaked, the release of staff names alone could still pose a serious risk to the safety and privacy of the personnel, as police have been targeted by paramilitary groups in Northern Ireland and many keep secret the mere fact that they are employed by PSNI. The breach could also have legal implications for PSNI under the UK GDPR and Data Protection Act 2018, which together regulate the processing of personal data in the UK. Data controllers, such as PSNI, must comply with the data protection principles, including ensuring that personal data is processed lawfully, fairly, and transparently, and that it is protected against unauthorised or unlawful access, loss, destruction, or damage.
As for the EC, the data breach it suffered occurred as a result of a cyber-attack whereby attackers hacked the EC’s email system gaining access to email addresses and contact telephone numbers of over 40 million voters. Unlike the PSNI breach which was remedied within hours (although as the famous saying goes - once on the internet, always on the internet), the EC was unaware of the cyber-attack until more than one year later. The EC data breach has also sparked wide concerns as, although the breach was first identified in October 2022 and relevant notifications to the Information Commissioner's Office (ICO) and National Crime Agency (NCA) were made, members of the public have only recently been informed that the electoral registers containing the data of millions of voters may have been accessible throughout that time.
In respect of both data breaches, each organisation has made public apologies and they continue to conduct internal reviews to address the issues. The ICO has also been notified and continues to make enquiries into the situations affecting each of the organisations before determining suitable outcomes.
What next?
The ICO, which is the UK's independent authority for upholding information rights, has the power to investigate and take enforcement action against data controllers who breach UK data protection law. The ICO can issue notices, warnings, reprimands, or fines, depending on the nature and severity of the breach, and can also prosecute criminal offences set out in the legislation.
Although the ICO has recently adopted a slightly softer approach towards the public sector by issuing warnings and enforcement notices more regularly, the use of fines should not be ruled out here and all organisations processing personal data should certainly be alert to this prospect. The ICO will take into account all of the circumstances when investigating a breach, and specific risks and sensitivities are likely to influence their response – specifically for the PSNI breach, we imagine the ICO will consider the fact that the breach could (and should) have been avoided had greater care been taken.
The potential for class actions which could arise following data breaches should also be acknoweldged. Under UK data protection law, individuals are entitled to claim compensation if they suffer damage or distress as a result of a breach. Class actions have been rare in the UK so far but with high profile breaches continuing to make their way to the doorstep of the ICO – and into media headlines – the threat of such actions is certainly a significant risk; one which organisations such as PSNI and the EC need to be mindful of.
Prevention is better than cure
So, what should your organisation be thinking about in light of such data breaches? Human error and malicious cyber-attacks (the causes of the recent data breaches mentioned above) are two of the most common reasons for breaches occurring; therefore, understanding how to prevent these is imperative.
The risk of human error is minimised by ensuring that everyone throughout your organisation has had an appropriate level of training on data protection and data security. The level at which that training is pitched, and the frequency with which you should refresh it for your staff, will depend on various factors, including how data heavy your business is, the (potential) sensitivity of the data you hold – always determined with an eye on ‘the bigger picture’ - and the different roles those individuals play with the organisation.
Key stakeholders within your organisation must be fully engaged, so that they understand and appreciate the risks where data is not handled properly or is accessed unexpectedly by someone with ulterior motives. That message then needs to be cascaded down, so that people at all different levels clearly understand what is required and expected of them.
For cyber-attacks, whilst there is nothing stopping an attacker from making attempts to hack into an organisation’s system (although an organisation should always have adopt good anti-malware software and other security measures), the policies and procedures that an organisation have in place play a huge part in preventing a breach. However, simply having appropriate data breach policies and procedures in place is not enough – those should be tried and tested to ensure they are fit for purpose.
In addition, staff not only need to be aware of the existence of relevant policies, but they should be familiar with their content before they ever need to be engaged. If a breach occurs, the first few steps in the first few hours are critical and it can often be very high pressure as the right people from senior management and the right advisors (both legal and technical) are all looped in to help stem and manage the breach. Once a controller becomes aware of such an occurrence, a determination needs to be made pretty quickly as to whether that breach should be notified, either to the ICO and/or to the affected data subjects. If notifying the ICO, that needs to happen within 72 hours after the controller becomes aware of the breach occurring.
Imagine adding to that pressure by not being able to locate the relevant information about your organisation’s plans and procedures for managing a breach, or not knowing who – either within our outside of your organisation – to inform and liaise with about the breach. Trying to read through and understand a data breach policy or procedure document for the first time in a high pressure situation is not fun for anyone! Senior management need to ensure that the relevant individuals throughout their business already have a good understanding of the process before they ever actually need to deal with such an event.
The breaches suffered by PSNI and the EC serve as a lesson for UK organisations on the importance of complying with UK data protection law and ensuring data protection by design and by default. We have included some tips to help organisaitons avoid or mitigate similar issues:
- have strict protocols where public authoritiues are responding to FOI requests if the requested information could potentially contain personal data, and ensure that any data released is fully and properly anonymised;
- have access controls and undertake a thorough review process before publishing any data;
- provide regular staff training on data protection responsibilities;
- ensure that all policies and procedures are tried and tested and not simply a push paper exercise;
- have a data breach response plan in place including ensuring that relevant individuals are engaged in the process and proper notifications (if required) are made; and
- continually monitor compliance in all areas.
Final comments:
The ICO’s expectations of organisations are relatively high these days. The current legislation is no longer new, and businesses are expected to be organised and proactive, investing appropriately time as well as money in managing the risk around data.
If a breach was to occur, and your organisation was put under the microscope by the ICO, could you confidently argue that you are as compliant as you can and should be? Perhaps, five years since the introduction of the GDPR, it is time to take a step back and revisit your existing policies and processes and see if there are any loose ends that can or should be tidied up.
If you need advice or assistance in preparing the necessary underlying policies or considering your contracts with suppliers and others who might be accessing your data, we can help with that. Likewise, if you want to arrange training to ensure that the relevant people are appropriately positioned to (i) minimise the risk of a breach occurring and (ii) properly manage the situation if the worst-case scenario arises, please get in touch. As well as being well placed to assist with pro-active compliance, we have significant experience in advising and supporting on breaches impacting on clients in a range of sectors.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.