- Posted Wednesday May 16, 2018
I’m guessing when you hear ‘data breach’ you’re thinking of Tom Cruise hanging from a ceiling, copying files onto one of those old-school, not-so-floppy discs in a secret government facility. Maybe it brings to mind stories of someone losing a USB stick or (completely hypothetical, this one) leaving their mobile in a taxi.
You’ve no doubt read pages and pages on GDPR, so I’m not going to bore you with another of those “with GDPR coming into force…” type of introductions – let’s dive straight in…
What is a Data Breach?
A data breach is when a person, a group of people, or an organisation or company gains access to personal information that they aren’t authorised to see. It isn’t just about sharing passwords, getting hacked or being caught out by cyber-attacks – incidents that could be considered data breaches are wide-ranging, such as:
- Confidential documents being left on a train
- Laptops or other storage devices being stolen (in or outside of a Practice)
- A member of staff illicitly copying or viewing somebody’s details (staff or patients)
- Accidentally (or deliberately) deleting records
They can be categorised in different ways;
- Confidentiality Breach: unauthorised or accidental access (or disclosure) of personal data
- Availability Breach: an accidental access (or loss of access) to personal data (or if it leads to its deletion/destruction)
- Integrity Breach: where there are changes made to personal data, accidentally or without authorisation
What’s probably now etched into your mind is that the Information Commissioner's Office (ICO) will fine businesses up to 10m Euros, or up to 2% of its global turnover if they don’t notify the authorities about a data breach.
(Seriously - how many practices have a global turnover? Or ten million Euros for that matter?)
What do I do if I suspect there’s a Data Breach?
Firstly, don’t panic. Check if it really is a data breach and discuss it with the Data Controller (the DC is the person who would have to report it to the ‘Regulating Authority’).
Next, try to fix the breach as far as possible. If it’s an email that’s accidentally been sent to the wrong person/people, can it be recalled? (Outlook can recall or resend emails, and give you a notification if it has been recalled from all users or not). You need to limit the impact of the breach or try to contain it so it does no further damage.
When you have determined whether the situation can be recovered or not, you need to look at the extent of the breach – how bad was it, or was it really that bad at all? Get as much detail as possible about what happened, who has been affected and to what extent, and what type of personal data has been breached.
You need to record the incident in your Practice’s Data Breach Register – this will be your record of incidents that relate to the practice, what happened and how you dealt with it (if you don’t have a Data Breach Register yet, we’ve got one in our GDPR Section which members can find here.)
Do I have to report every data breach?
Depending on how serious the breach, you will need to notify the Data Protection Authority within 72 hours of when you become aware of it. The GDPR says that you don’t need to do this if “the risk to freedoms and rights of the data subjects is unlikely”.
So what does that mean in real terms?
Let’s say you lose a USB stick, or even a mobile in a taxi (look, it happens – don’t judge me!). There is personal data of some form on that device, and now it’s gone.
If the data was encrypted, then there is a limited chance that it could be accessed or misused, and therefore poses a very low risk to the data subjects. In this case, all incidents need to be logged in your Data Register, but you might not need to report it. If you do, then provide as many details as possible:
- A description of the personal data breach
- Categories of personal data involved
- The approximate number of data subjects that may be affected
- The name and contact details for the Data Controller
Once you’re satisfied that the data breach has been contained, it’s time to reflect on what happened:
- How did the breach happen?
- Are there any lessons we must learn?
- Do any additional actions need to be put in place?
After answering the above questions, add the actions and reflections to your register as lessons learned, and share your findings with the rest of the Practice – It’s OK to learn from things going wrong, it’s not OK to ignore it and think it will go away.
Bottom line – how much trouble will I be in?
A Data Breach will always be a serious issue, but if you’re already familiar with the IG Toolkit requirements, you’ve got this covered – it’s been a part of the Toolkit since forever, and the practice of ‘Incident Reporting’ is part of your IG submission every year (from 2018 the IG toolkit has been replaced by the Data Security & Protection Toolkit, which you can find out about here.)
If you’ve already been implementing the data protection requirements from the IG Toolkit, then you can deal with a data breach.
‘What to do in a Data Breach’ Summary
- Processors - inform the Controller of a data breach as soon as you become aware of it
- Give the Controller as much information as possible about the breach
- Controllers – take remedial action to contain or limit the impact of the data breach
- Start to establish more details of the breach (what happened, is personal data involved etc.)
- An estimate of number of data subjects whose personal data may have been breached.
- Complete the Practice’s Data Breach Register
- If the breach severity is high, then notify the Supervisory Authority
With First Practice Management’s GDPR resources you’re ready for anything. Keep an eye on the FPM Policy Library for more documents to help your practice stay GDPR compliant, and head to our GDPR Toolkit area for access to even more resources.