10 December 2018

Data Protection: Beware staff curiosity; Germany accepts mitigation in 1st GDPR fine; Marriott…

Data Protection: Beware staff curiosity; Germany accepts mitigation in 1st GDPR fine; Marriott suffers major breach; and ICO fines for failure to pay data protection fee.

ICO fines medical secretary for reading hundreds of patient records

A former secretary who succumbed to temptation and personal curiosity has been fined after admitting that she had unlawfully accessed and read the medical records of many of the surgery’s patients.

The secretary’s day-to-day duties at a GP surgery in Norfolk required her to lawfully access certain medical records to assist doctors, solicitors and insurance companies. However, in October 2017 some two years after starting work, the surgery discovered that she had been reading the medical records of a colleague without consent.

A further investigation by the surgery established that the secretary had unlawfully accessed and read the records of 231 patients over a two-year period without any valid reason to do so. These records included those of her relatives and friends, her colleagues and their families. Doing so was a violation of both data protection law and of the duty of confidentiality to patients at the surgery.

Appearing in a Magistrates’ Court, the secretary admitted four charges of accessing personal data in breach of s.55 of the Data Protection Act 1998. Despite having received training in the correct handling of medical records, the secretary accepted that she did not have a valid reason to access or read the records, and stated that she had struggled at work with boredom.

This case shows the need of compliance and proper training on privacy obligations must be paired with ongoing monitoring to ensure that an organisation’s practices are being observed by staff. Do you know what staff are doing?

Germany 1st GDPR fine: Social media platform fined for improper data storage, a German social media platform, has been fined €20,000 following a data breach exposing the personal information of 330,000 users including passwords and e-mail addresses.

The data, which included passwords stored as plain text, was copied and published by hackers on two separate websites in July. The company was made aware of the published data in September, and immediately notified affected users and the German regional data protection authority. The larger of the two data dumps exposed 1.87 million username/password combinations and over 800,000 email addresses.

The regional data protection authority decided that the legislation implementing the GDPR was breached due to the storage of passwords in plain text, and elected to impose its first fine under the new law. The authority stated that ‘by storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data.’

In explaining the fine, they showed willingness to accept mitigation cited Knuddles’ cooperation in the investigation, as well as the regulator’s desire to avoid the appearance of being in competition to issue the highest possible fines. The authority also took account of the overall financial burden on the company. The regulator’s pragmatic approach in this case highlights the importance of responding rapidly and acting in a transparent manner with regulators when faced with a data breach.

Marriott hotels data breach: 500 million customers’ data exposed

The American hotel chain said that its entire database – including 500 million visitors’ bookings over four years – was exposed. While not as large as the 2013 Yahoo! breach that exposed three billion email accounts, this represents one of the largest data breaches in history.

The company announced that ‘On September 8th 2018 Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States…Marriott learned during the investigation that there had been unauthorised access to the Starwood network since 2014.’

For roughly 327 million guests, the data included a combination of visitors’ names, addresses, phone numbers, email addresses, passport numbers, Preferred Guest account information, date of birth, gender and arrival and departure dates.

Furthermore, the encrypted credit card numbers and expirations dates of an unspecified number of guests were also compromised. Marriott believes that the relevant encryption key may also have been taken, stating that ‘there are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.’

In a statement, the ICO said “We have received a data breach report from Marriott involving its Starwood Hotels and will be making enquiries.”

Despite the hotel chain being headquartered in the US, it must comply with the GDPR when dealing with the data of individuals in the EU. Given the scale of the breach, as well as Marriott’s slow response time in notifying customers and data protection authorities, it is possible that this could result in the hotel chain being penalised under the GDPR’s considerable fining powers.

UK ICO fines issued over non-payment of data protection fee

The ICO has announced that businesses across a variety of industries have been the first to be fined for failing to pay the data protection fee required under the Data Protection Act 2018.

Under the DPA 2018, all non-exempt companies, organisations and sole traders that process personal data must pay an annual fee to the ICO. Failure to do so can result in a fine of up to £4,350.

According to the ICO, these first organisations have been fined for not renewing their fees following expiry of their data protection registration. In total, more than 900 notices of intent to fine have been issue since September, and more than 100 penalty notices have been issued.

In order to meet its enhanced responsibilities under the GDPR the ICO has grown over the last two years, now employing a staff of 670. Data protection fees fund the ICO’s work, including investigations into data breaches and complaints, the data protection advice line, as well as preparation of guidance and resources for organisations in helping them comply with their data protection obligations.

Under this Government-set funding model, organisations are divided into three tiers according to size, turnover and their status as a public authority or charity. The fee for small organisations is no higher than the £35 that was required prior to May 25th 2018, while the fee for larger organisations has now risen to £2,900. Fines for non-payment of fees range from £400 to £4,000 depending on which tier an organisation falls into, and may be increased to £4,350 in certain circumstances.

Importantly, organisations that registered under the DPA 1998, prior to May 25th 2018, do not have to pay the new fee until that registration has expired.