Tag: gdpr

GDPR accountability – you’re accountable, aren’t you?

GDPR rules are an ongoing responsibility and every organisation remains accountable for creating an appropriate GDPR environment.

GDPR accountability is for life, not just for May 2018. Now the rules and regulations are firmly settled in don’t forget that every organisation remains responsible for creating an appropriate GDPR environment.

What might this mean in the real world? Our GDPR expert, Karen Heaton, takes a look at Accountability.

In our blog today, we look at Accountability, one of the Seven Principles of GDPR and the Data Protection Act 2018.

What is accountability?

Accountability is your requirement to demonstrate how your organisation or practice is compliant with the regulations.

This sounds simple, but what does it really mean?  If ever audited or investigated, what would you show the investigators?

Let’s take a look at the route to Data Protection compliance and some essential measures that organisations should have in place to meet this requirement.

What is the minimum you might need to meet the Accountability requirements?

  1. Ensure your employees have some training in Data Protection – this is the responsibility of the Controller
    • We discussed the causes of Data Breaches, 30% – 40% are due to employees
  2. Do you know what data you hold? We discussed Know Your Data (KYD) in our blog on Data Breaches
    • why you have that data
    • what you do with it
    • who sees it
    • where it is kept
  3. Understand Your role – this determines what your responsibilities are
    • are a Data Controller, Data Processor or both (highly likely)
  4. Have essential operational policies and procedures (measures) in place to deal with:
    • Data breaches
    • Subject Access requests
    • Management of consent
  5. Have you communicated your Privacy Notices to clients, employees, suppliers?
  6. Do you need to Register with the Information Commissioners Office (probably)?
    • Use the checklist from the ICO
    • The fees are explained here – for small and medium companies the fee is £52 and £78.
  7. Decide who will be responsible for Data Protection within your organisation – it must be someone!

 

Today’s fact: 

The ICO use a number of factors to decide what fines (or other actions) to take against organisations.  In fact, when submitting Data Breach information to the ICO, organisations must answer questions about staff training and the operational measures that were in place to prevent breaches.

  • Put the essential operational measures in place now to avoid issues in the future.

See you next week!

Rights to access using Subject Access requests (SAR)

What happens when someone asks to know what data your organisation is holding about them? In this latest blog our GDPR expert, Karen heaton, looks at what to do if you receive a Subject Access Request.

What happens when someone asks to know what data your organisation is holding about them?

In this latest blog our GDPR expert, Karen heaton, looks at what to do if you receive a Subject Access Request.

 

In our blog today, we look at a data subject’s right to access, a powerful tool for individuals who have concerns about what information organisations hold about them.  Unfortunately, it can also be used for litigious purposes and such a request should be taken very seriously within your organisation, so please read on!

A data subject, in other words, you or I, can request a free copy of all personal data relating to us that an organisation holds – in any format – paper files, digital, videos or voice records.

Ok, do I have your attention now?  Even for a small organisation, that can amount to a lot of data.

Oh, and you have one calendar month to respond.

So, what must you provide and what is exempt?  Well, let’s see…

What information must I provide?

You must provide the following long list of information in relation to the personal data being processed as well as the data themselves:

  • the purposes of your processing
  • the categories of personal data concerned
  • the recipients or categories of recipient you disclose the personal data to
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it
  • the existence of their right to request rectification, erasure or restriction or to object to such processing
  • information about the source of the data, where it was not obtained directly from the individual
  • the existence of automated decision-making (including profiling)
  • the safeguards you provide if you transfer personal data to a third country or international organisation
  • the right to lodge a complaint with the ICO or another supervisory authority

I have a question or two:

  • would you know where to find the data?
  • would you be able to respond to the other information points above regarding the data you hold?

This is not a simple task and can amount to an operational headache for many organisations.

What information can I withhold?

The most common type of data that should be withheld is data mentioning third parties (unless they have given consent for their data to be shared or it is reasonable not to require such consent – confused?).  For example, an email chain where people other than the data subject are mentioned would need to be considered for redacting.  How easy can your organisation find, review and redact third party information?

Other examples of exempted information:

Specific information regarding medical organisations

Often, my clients have concerns that some law firms may use SARs to obtain medical data for free that was previously chargeable.

Subject Access Request (free) vs Access to Medical Records Act 1988 (chargeable)

Requests from Solicitors acting on behalf of a Patient

The British Medical Association advises that a patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a medical practise will be able to lawfully decline such requests.

In this instance, you should ask the person acting on their behalf, if there is specific data that they require, for example are they requesting data covering a specific time period or illness or operation?  This is a valid question for you to ask if the patient data file is substantial.

Tip:  Don’t forget to get valid consent from the patient to disclose their personal and sensitive data to the Solicitor or third party. 

If, however, the request is asking for a report to be written or it is asking for an interpretation of information within the record this request goes beyond a SAR. It is likely that such requests will fall under the Access to Medical Reports Act 1988, for which a fee may be charged.

Requests from an Insurance company

The British Medical Association, ICO and Association of British Insurers currently advise that Insurance companies should use the provisions of the Access to Medical Reports Act 1988 to seek access to medical records and that the use of SARs to obtain medical information for life assurance purposes is an abuse of subject access rights.

So, that scenario is a bit more clear cut.  😊

The bottom line is….

Your organisation or medical practise must take the time to consider and plan how to respond to a Subject Access Request from an operational perspective.   Don’t wait until you receive one to work out how it should be done.  The clock starts ticking from the day you receive the request.

 

Today’s fact.   Access to your data is a basic Right under GDPR and Data Protection Act 2018.   A data subject can make a complaint to the ICO if an organisation fails to respond to a Subject Access Request.

Further failures to respond to requests from the ICO and any Enforcement Notice they serve, is a criminal offence.

=>   This is worst case scenario and easily avoided.  Ensure you have a robust operating procedure to handle Subject Access Requests and train your staff in how to respond, when to respond and what information to provide.

See you next week!

 

GDPR – what to do if you have a data breach

What exactly constitutes a reportable data breach? Whose responsibility is it to report it?

Despite your best efforts with GDPR your business might suffer a data breach.

It’s probably not the end of the world but in this blog data protection expert, Karen Heaton, explains what happens next.

We have discussed in our previous blog the potential level of fines for data breaches and some common causes of these breaches.

Our blog today, answers the questions of: what exactly constitutes a reportable data breach?  Whose responsibility is it to report it?

We will look at guidance from the European Data Protection Board on examples of data breaches and whether to report them to, the data subject/s or the Information Commissioner’s Office (ICO).

What constitutes a data breach?

Data Breach Definition – defined in the GDPR Article 4(12) as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

What this means in practice is that all data breaches are security failures, but not all security failures are data breaches.  And… not all data breaches have to be reported to either (or both) the data subject/s or ICO.

 

So, how do you know what to report or not?  Have you had a breach?  How would you know?

Examples of how you may identify a data breach

  • Employee loses a bag, phone, USB stick
  • Monitoring software identifies unauthorised access to an account or file
  • Large attachments are sent in outgoing emails to an employee’s private email account
  • A supplier (data processor) tells us that they have had a cyber-attack and data has been compromised
  • A client phones to say they have received an odd email from your company asking for bank details for an unexpected refund

Assessing a breach for reporting

When assessing a security incident, the Data Controller should:

a) assess whether the security incident has or is likely to, result in a loss of personal data and then

b) decide whether that breach is likely to result in or will result in a high risk to the Data Subject.

Of course, this depends on the type, volume or subject matter of the data.

Each breach will have its own unique characteristics depending on the organisation and data affected.  See the full list of guidance from the European Data Protection Board here.

 

 

How to report a data breach

It is the responsibility of the Data Controller to assess, resolve and report data breaches.  Any suppliers (Data Processors) who are involved in the incident must assist the Data Controller in the investigation and provide fixes where appropriate.   Therefore, it is important to Know Your Data (KYD) and ensure that you understand your responsibilities in each potential scenario.

  • Once the Data Controller has assessed that the data breach is likely to result in a high risk to the data subjects he/she must report the breach to the ICO within 72 hours of becoming aware of the breach which requires to be reported.
  • The Data Controller must then decide how and when to notify the data subjects affected. It is essential to have an operational process or plan for staff to follow.

 

Today’s fact.  Did you know that the ICO’s website lists organisations who have or are being audited in addition to lists organisations being monitored for concerns about compliance??

 

=> Take your data protection responsibilities seriously, know your data (KYD) and be operationally compliant to avoid the reputational damage from your company name being listed on the ICO website.

See you next week!