There have been some recent ICO decisions that we wanted to share with you:
UK regulator reprimands health body for sharing patient data via WhatsApp
The Information Commissioner’s Office has issued a reprimand to NHS Lanarkshire, following staff’s unauthorised use of WhatsApp to share patients’ personal data over the course of two years. Between April 2020 and April 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where patient data were entered on more than 500 occasions, including names, phone numbers and addresses. The ICO recommended a number of measures, including establishing a secure clinical image transfer system as part of the health body’s exploration regarding the storage of images and videos within a care setting. The ICO also recommended that before deploying new apps, the health body should consider risks relating to personal data and include the requirement to assess and mitigate these risks in any approval process.
All staff are reminded to not use WhatsApp to process personal data. A very small number of staff are permitted to use WhatsApp in exceptional cases, where it is considered that there is a higher risk to a service user of not using WhatsApp than there is of using it. In these cases the messages should be downloaded to an MVDC system and deleted from the device they were captured on without delay.
ICO warns of email data breach risk as it issues two reprimands
The ICO has reprimanded two Northern Irish organisations for disclosing people’s information inappropriately via email. The Patient and Client Council and the Executive Office disclosed recipient details by using inappropriate group email options. The organisations should have found an appropriate alternative such as mail merge. John Edwards, the UK Information Commissioner, said: “This type of data breach is all too common but is easily avoidable. Organisations must take responsibility for training their staff properly and for putting appropriate systems and policies in place to avoid such incidents. Even if the content of an email is not sensitive or confidential, identifying people who have received it could reveal sensitive or confidential information about them. That could be very distressing and potentially harmful to the people affected.”
Remember to check the content of your own messages before hitting “Reply All”, and always BCC group recipients with private e mail addresses.
Two reprimands issued over data security breaches
The ICO has issued a reprimand to an unnamed recruitment company in respect of infringements of Article 5(1)(f) and 32(1)(b) (data security provisions) of the UK GDPR. The organisation misconfigured a storage container, containing 12,000 records and relating to 3,000 workers, to be publicly accessible without any requirement to authenticate. The ICO has also reprimanded law firm Swinburne, Snowball and Jackson in respect of infringements of the UK GDPR’s data security provisions. The regulator recently published lessons learned from recent reprimands.
This serves as a timely reminder that hard copy personal data is equally as important as personal data stored electronically. Click on the links to find out more.