Cyber attacks and data theft hit the headlines but it’s the everyday actions of employees that are more likely to lead to data breaches, says David Jones, employment solicitor at Myersons. Here, he outlines how employers can mitigate the risks.
When employers consider their risk exposure for data breaches, their thoughts usually turn to cyber-attacks or data theft on a massive scale. After all, these are the stories that generate the majority of media headlines. However, the most common form of data breach occurs through the everyday actions of individual employees.
Mistakes happen in the workplace, from the unencrypted USB stick containing customer contact details, which is accidentally left on the train to the highly confidential email accidentally sent to the wrong recipient (the auto-complete feature included in most email packages has a lot to answer for in this regard). Even the most well-intentioned employee could do something – or fail to do something – that results in an investigation being conducted by the Information Commissioner’s Office (ICO).
So, it is important for employers to have robust procedures in place, reinforced by meaningful staff training. Employers cannot prevent every minor lapse at the individual level, but such procedures and training would assist an employer in demonstrating to the ICO that they took all reasonable steps to prevent it from happening. Even if it does not avoid liability altogether, it could at least assist an employer as mitigation to reduce the penalty.
A recent example
On 31 May 2017 the ICO issued a ‘Monetary Penalty Notice’ of £150,000 against Basildon Borough Council. In this instance, an employee made the mistake of failing to spot sensitive personal data within a document that was published on the Council’s public website.
On 16 July 2015 a statement in support of a planning application on green belt land was received at the Council. To give effect to their obligations on public consultation these types of statements are uploaded to the Council’s website. A traveller family had lived on the site for several years. The statement contained detailed information about the family: not only their names and ages, but also their disability status and mental health issues. The established policy of the Council was that a planning technician would review the planning statement and redact any personal data before publication. On this occasion the planning technician was inexperienced. He did not notice the content that identified the family.
The Council’s administrator assumed that the planning technician had redacted the statement, and simply uploaded the document once it had been reviewed. In its findings the ICO criticised the Council for not including a second check at this stage within their procedure, given the sensitivity of the personal information that was at risk of being disclosed.
The unredacted document was published on 16 July 2015. It was not removed until 4 September 2015. The family themselves did not complain, nor did they even know about it. However, it was immaterial to the ICO whether there had been a complaint from the family, or whether they even knew about it. The issue for the ICO, as it is with all such cases, was whether an individual could have been identified, and how long the information was publicly available.
The ICO held that the Council were in breach of the seventh ‘Data Protection Principle’:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (Schedule 1 Data Protection Act 1998)
The ICO was highly critical of the Council. One of the key findings was that “Basildon did not provide any (or adequate) training to planning technicians on the redaction of statements”. In assessing the penalty the ICO was also mindful that the data disclosed was in the category of ‘sensitive personal data’, and that it was publicly available for six weeks until the breach was discovered (the decision gives no details on how the breach was discovered).
Therefore a simple matter of one employee failing to redact a document resulted in a fine of £150,000.
What can employers do about this?
The comments of the ICO at paragraph 41 of their decision gets to the heart of what employers need to do: “Basildon ought reasonably to have known that there was a risk that this contravention would occur unless it ensured that the process was governed by adequate written procedures, undertaken by staff with appropriate experience and supervision.” (my italics)
Such guidance demonstrates the measures that employers should take:
Implement procedures that are sufficient for the particular risk. In the Basildon case the potential risk was that sensitive personal data could be uploaded onto a public website, and so the consequences for an individual could be particular distressing. The robustness of the procedures should be relative to the potential consequences of the breach.
Educating your employees. This should not only deal with the processes to follow, but also the reasons why data privacy is so essential, and why breaches can be distressing to individuals. How often is data protection training focused on a “tick-box” approach to learning the workplace procedures? However, employees are more likely to be motivated to comply with the procedures if they understand why it is necessary, and become engaged with the issue in wider terms, with a focus on the human consequences of data breaches.
Make someone within your organisation responsible for data privacy. This would address what the ICO refers to as “supervision”. Give that person organisational backing and authority. If an employer does not already have a ‘Data Protection Officer’, consider appointing one – some categories of employer will need to do this in any event before 25 May 2018, when the GDPR (General Data Protection Regulation) comes into effect.
Conduct regular compliance audits. With the implementation of GDPR this could be a great opportunity to take stock of the situation and conduct an organisational health check. As with regular health and safety audits, they will be less time consuming if they are done regularly.
Change in culture. Going forward, data protection will need to be approached with a similar mind-set to health and safety matters. This means an organisational culture built around the principles of risk assessment, corrective action being taken “before the event”, and lessons learnt from any breaches or near misses.
Postscript: General Data Protection Regulation
As mentioned above, the General Data Protection Regulation must be complied with no later than 25 May 2018. This will provide an additional incentive for organisations to avoid data protection breaches, because the maximum penalties available to the ICO will increase significantly. Under the current Data Protection Act the maximum fine is £500,000. The GDPR will increase the maximum to €20 million or 4% of global turnover (whichever is the higher).
The financial consequences for data protection breaches are about to increase. So, perhaps now is the time for organisations to instruct their IT departments to disable auto-complete on the email system.