Anyone who has heard me talk about GDPR will know I don’t feel it’s particularly necessary to harp on about the coming apocalypse of financial super-sanctions. This is at least partly because we don’t know how severely the ICO will impose fines. Also, because too much FUD (‘fear, uncertainty and doubt’) is already being peddled around the potential fines by others. Typically you’ll find that I tend to focus on the operational (and technical) challenges that will come with the additional information governance obligations, enhanced data subject rights and the increased likelihood of civil actions by data subjects.
For this blog, however, I plan to make an exception and write about a recent enforcement action taken by the ICO where a large fine was imposed. A private medical business was the recipient of a £200,000 fine. Under the Data Protection Act 1988, the ICO has rarely imposed a fine this high. It is perhaps a reasonable assumption that the fine might be higher under the GDPR, where the maximum sanction increases to €20m. The transgression did not involve the common headline grabbing reasons for a personal data breach. There was no hack. There was no malicious activity. There were no mislaid files. The initial transfer of data outside the company, and for that matter the country, involved no written files. This is where the problem arose, because the organisation had good data protection practices around personal data held in obvious formats, such as documents and application data. They were undone, however, by failing to apply the same standards to a less obvious format – specifically personal data held and processed in audio format.
The private hospital at the centre of this story is part of a worldwide network of private health care facilities offering a range of services including fertility treatment. An issue was uncovered in April 2015 when a patient found that transcripts including details from interviews with IVF patients could be freely accessed by searching online. During the subsequent investigation it was revealed that the hospital had been routinely sending unencrypted audio records of the interviews by email to a company in India since 2009. Details of private conversations between a doctor and patients wishing to undertake fertility treatment had been transcribed in India and then sent back to the hospital.
Undoubtedly, this was personal data. One can scarcely think of more personal data. But it was in audio format. Interestingly, the medical firm was noted for having good practice elsewhere in its approach to data protection. I cannot be sure in this instance but often a small change in context can affect our ability to see the obvious. Everyone who has seen and missed the ‘invisible gorilla’ in the selective attention test video by Chabris and Simons will understand this. We do it in our personal lives all the time. If you focus your concentration too tightly, you lose peripheral vision.
It might be worth stating how the ICO currently define a breach, “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed…”. That is pretty wide. Add that to the wide definition of personal data I have outlined in a previous blog and you can see how a narrow beam search for potential personal data breaches may not be the best approach.
So what’s the suggested takeaway? When identifying personal data within your organisation, you should look for it in the obvious places but not at the expense of missing the less-obvious. Certain tools may or may not have picked up that the audio files contained personal data but asking the right questions of the process owner undoubtedly would have done. Likewise, don’t just focus on the personal data that your organisation ‘should’ have been collecting, look at all personal data that actually ‘is’ being collected and processed. In the same way that employees will use ‘shadow IT’ to identify to achieve their objectives, there’s a good chance that some will also be ‘shadow processing’ personal data without understanding the implications.
An accidental or incidental accumulation of personal data – including special category data – is easily missed, much like the invisible gorilla. A prime offender here is email but CCTV is also often overlooked. As are old fashioned paper files. So the recommendation is not so much the tired analogy to think outside the box but rather to look outside the virtual and real boxes in which you are expecting to find personal data. Not least, because as possibly happened at the aforementioned medical company, once personal data is in an unusual or unexpected format or location, even sensitive, special category data flows, can go unseen and unprotected.
In short, when mapping your personal data, don’t miss the invisible gorilla. It could be a costly mistake.
Author: John Payne
John is an information governance consultant with Cybercrowd. He specialises in data protection, information risk management and GDPR readiness.