Out-Law / Your Daily Need-To-Know

GDPR: health companies must manage data breaches better

Out-Law Analysis | 28 Jun 2018 | 10:53 am | 7 min. read

ANALYSIS: Whether and how organisations document their handling of data breaches will influence how exposed they are to compensation claims and regulatory fines.

Maintaining a data breach register is an essential task for organisations active in the health sector whose handling of personal data will come in for even greater scrutiny than before under the General Data Protection Regulation (GDPR).

Data protection in the health sector

The obligation of patient confidentially is at the heart of the wording of the Hippocratic Oath, so is a core obligation for those in healthcare. Yet there are persistent reports of personal data breaches and an analysis of these suggests that many breaches arise from a failure to adhere to the basic fundamentals of personal data privacy and security.

Most data breaches are not down to an organised criminal gang making use of malware; they are down to people not understanding or following the basic steps required to keep sensitive personal data secure.

The Irish Times recently reported on data breaches by the Health Service Executive of Ireland and found that an X-ray report had been found in department store Penneys, a cancer patient’s chart was left on the roof of a car, and a child’s mental health records were accidentally faxed to the Bank of Ireland.

Last month, the Office of the Data Protection Commission (ODPC) in Ireland published a report following an investigation which involved physical inspections by authorised officers at 20 hospitals across all geographic areas of Ireland spanning Health Service Executive facilities, private hospitals and voluntary hospitals.

The ODPC undertook the investigation due to the substantial volume of sensitive personal data which is processed on an ongoing basis in the sector, their awareness of some significant data security breaches in the past and the findings of data protection audits conducted in a number of individual hospitals. The central focus of the investigation was to examine the processing of the personal data and sensitive personal data of patients in departments and areas of hospitals to which patients and the general public have access.

In its findings it highlighted a number of areas of concern where it found weaknesses in the processing of patient personal data. Examples included:

  • vontrols in medical records libraries
  • security
  • storage of patient observation charts in hospital wards
  • storage of patient charts in trolley bins in wards
  • storage of confidential waste paper within a hospital
  • disposal of handover lists and patient lists
  • lack of speech privacy
  • absence of audit trails
  • raising awareness of data protection in hospitals
  • consent for research
  • data retention

Before the GDPR took effect on 25 May this year many data breaches did not come to the attention of the public. That will no longer be the case because there is now a mandatory reporting regime under GDPR of personal data breaches to the local data protection authority –the Information Commissioner’s Office (ICO) in the UK, and the ODPC in Ireland – within 72 hours where there is a risk of damage to the rights and freedoms of a data subject and where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay

Mandatory reporting and compensation claims

The requirement for mandatory data breach reporting under GDPR represents a power shift away from data controllers whether hospitals, healthcare companies or life science companies to data subjects.

Much has been made of the materially significant fines that data protection regulators can impose for breaches of GDPR. Reflecting the reality that data breaches do happen, even if accidentally, GDPR provides that data breaches attract the lower tranche of fines being €10m or up to 2% of global turnover, whichever is higher.

However, of importance for anyone in regulatory affairs is the statutory right to compensation from a data controller or data processor that all data subjects have under GDPR for material or non-material damage, such as distress, caused to them by a data breach.

Such law suits, referred to as data protection actions in Ireland, are likely to be far more common than regulatory fines imposed by the data protection regulator. They will be heard before the courts, possibly reported upon by the press and could result in significant compensation payments.

Many companies in the healthcare sector are either funded through the public purse or are public companies with shareholders and, as such, will face demands for accountability and transparency if they find their internal governance under the spotlight before a court.

In other words, in circumstances where the reputation of the company is at risk it will be inevitable that the senior management team will want to understand if the wrongdoing resulting in the breach is due to internal governance failures or due to gross negligence by personnel. The buck will have to stop somewhere for the financial losses.

Understanding what constitutes a data breach

There can be a lack of appreciation of what can actually constitutes a data breach. In any organisation, people are the first line of defence if trained correctly and the weakest link if ignorant of the importance and implications of failure to properly report and handle a data breach.

With the GDPR now in effect, ongoing personnel training is a must so that staff recognise a breach for what it is and respond correctly. The European Data Protection Board (EDPB), which is made up of the data protection regulators from across the EU, issued guidance on data breaches. It categorised breaches into three types and a breach can comprise one or a combination of all three:

  • confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data. An example of this would be emailing personal data to the wrong recipient(s).
  • integrity breach – where there is an unauthorised or accidental alteration of personal data. An example of this could be amending the medical records of the wrong patient.  
  • availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data. An example of this is the WannaCry ransomware incident that affected the UK NHS. A further example of an availability breach would be an incorrectly administered data retention policy where the incorrect data sets were accidentally permanently deleted or destroyed.

Damage flowing from a data breach

A data subject has a right to compensation for a data breach under the GDPR where they suffered material or non-material damage as a result of an infringement of the regulation by a data controller or data processor. It is clear from case law that non-material damages cover non-pecuniary losses like distress.

The GDPR does not contain an exhaustive list of the types of damage envisioned from a data breach but it does, under Recital 85, highlight 10 areas and, of those, the following are all potentially relevant to a healthcare data breach:

  • loss of control over personal data
  • unauthorised reversal of pseudonymisation
  • damage to reputation
  • loss of confidentiality of personal data protected by professional secrecy
  • other significant social disadvantage

Risk assessment

It is important organisations assess the risk around a data breach to decide if they need to do a mandatory report. The EDPB has made clear that consideration should be given to both the likelihood and severity of the risk to the rights and freedoms of data subjects. It further states that risk should be evaluated on the basis of an objective assessment.

The factors to be considered in an objective assessment should include the following:

  • the type of breach
  • the nature, sensitivity and volume of personal data
  • ease of identification of individuals
  • severity of consequences for individuals
  • special characteristics of the individual
  • special characteristics of the data controller
  • the number of affected individuals

They can seem abstract in the absence of context but, in truth, in most instances you will instinctively understand how serious the potential breach may be for a data subject but you must apply the methodology to reflect that an objective assessment was undertaken.

It is clear from Recital 75 of the GDPR that a data breach concerning genetic data or data otherwise concerning health data are examples of the type of incidents that the regulation is aimed at protecting against.

A central message from the EDPB is: "If in doubt, the controller should err on the side of caution and notify."

For all those reasons proper recording of data breach handling in the data breach register is a must. 

Recording the risk assessment

Irrespective of whether a data breach is notified, it is vital that all organisations maintain a data breach register where they record contemporaneously how the breach was handled, how the objective assessment was made, and how they responded thereafter.

It is provided in the GDPR that data controllers "shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken" and that "that documentation shall enable the supervisory authority to verify compliance".

The data protection authority can request these records and, certainly, in any data protection action that flows from a personal data breach, the lawyers for data subjects will scrutinise them.

The words 'shall enable' are important. The implication is that, without such records, it will not be possible to verify compliance.

From a regulatory affairs perspective, the person designated to complete the register must be properly trained in the importance of this role and diligently comply with it. They will be doing so in the midst of the high pressured environment that will surround everyone when a significant data breach arises that might require mandatory reporting within 72 hours to the ICO or ODPC and the data subjects concerned. It is a role requiring seniority and steel under pressure that is characteristic of the few and not the many.

Dublin-based Ann Henry is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com. She is chair of the Intellectual Property and Data Protection Committee of the Law Society of Ireland and a member of the Government Data Forum in Ireland. A version of this article was published in Regulatory Rapporteur – The International Journal for Professionals in Regulatory Affairs 2018;15(7/8):23–25. This journal is published by TOPRA – The Organisation for Professionals in Regulatory Affairs.