The recent incident at the 56 Dean Street clinic saw the well-rehearsed line of “it was human error” put forward. But who committed the error? The person who pressed ‘send’ or the management who appear to have permitted the use of a normal email system to distribute the newsletter?
Everyone knows how easy it is to accidently send an email to the wrong person, and that human error might lead to someone accidently using “cc” instead of “bcc.” In many contexts, the impact of accidentally disclosing an email distribution list would be minimal; it might enable those on the list to contact each other, or someone to learn that someone they know also receives that newsletter.
But this list was associated with an HIV clinic, which meant just one field of data (email address) told you that others on the list had an association with the clinic. This, in turn, had the potential to reveal someone’s previously confidential HIV status to others. The media are reporting the real life impact of the breach.
This has echoes of the £200,000 fine for the British Pregnancy Advisory Service, where the contact details of women, when associated with the BPAS, meant you learnt they had sought advice on contraception and/or abortion. The ICO noted “some of the…details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker.”
With these issues in mind, consideration should have been given to (i) the potential impact should such a breach occur (ii) the likelihood of such an error occurring and (iii) whether these factors might require the use of a more secure, less risky means of distributing the newsletter.
This is not just hindsight. Tucked away in the Data Protection Act (DPA) is a requirement to weigh up the technology available to you (i.e. the solutions on the market); the implementation costs; what information is involved and the harm that might result from a breach, in order to agree on appropriate security measures.
The key question for all Data Controllers is, when ‘human error’ happens (because it will) due to a risk that you “knew or ought to have known” could cause “substantial distress” to individuals, are you able to prove you took “reasonable steps” to reduce the risk? This is the criteria defined by Section 55A of the DPA for deciding whether a £500,000 fine is justified.
Providing, and being able to prove, staff received training is a good start, as is having a clear set of documented policies and procedures which are consistent and repeatable. This might be as simple as someone double checking the email before distribution. Such organisational measures may have reduced the risk in this case.
But the question remains whether a more secure means of distributing the newsletter was considered, especially given the sensitivity, potential impact, available technical solutions and their relative cost. If so, you can at least debate you position with the ICO. If not, then the ‘human error’ could be more directed at management rather than the person who pressed send.
Protecture are running a free seminar ‘A CEO’s Guide to Data Protection risk’ on Wednesday 18th November in central London. Tickets are limited – learn more and book tickets here. Protecture will also be running a data protection surgery at the ACEVO Annual Conference. To book an appointment, please email firstname.lastname@example.org or call 0203 691 5731