Organisations of all sizes are susceptible to data breaches and the damage caused by these breaches, both reputationally and financially, can be very significant. It is therefore vital that organisations have effective systems in place to protect the information that they hold and have procedures for preventing and dealing with any breaches.
A data breach occurs when the information held by an organisation is stolen or accessed without authorisation. Under the UK GDPR, organisations have a duty to report certain personal data breaches to the relevant authorities within 72 hours of becoming aware of the breach (if this meets the threshold to report). Organisations also have a duty to keep a record of all personal data breaches in any case, but relevant individuals must be informed if the breach has a high risk of adversely affecting them.
The following recent cases highlight the detrimental impact that data breaches can have on both organisations and individuals:
Police Service of Northern Ireland (PSNI)
In August 2023, PSNI received two freedom of information requests from an individual requesting information about the number of officers in each rank and their status, i.e. substantive, temporary or acting. PSNI provided this information in a excel spreadsheet which, unnoticed but quality assurance, had a mistakenly included a worksheet tab with the surnames, initials, ranks and roles of all 9,4831 PSNI officers and staff. PSNI was alerted of the breach internally at 4:10pm the same day and the file was deleted from the website at 5:27pm. PSNI made an announcement 6 days later. The ICO conducted an investigation and found that the internal procedures and sign off protocols had been inadequate. In October 2024, PSNI was fined £750,000 by the ICO for exposing personal information of its entire workforce. The fine would have been £5.6million, however the Commissioner used his discretion in this case as he was mindful of PSNI’s financial position and did not want to divert public money from where it was needed.
The Central Young Men’s Christian Association (the Central YMCA)
The Central YMCA had incorrectly sent an email to 264 individuals participating in a HIV support programme using CC instead of BCC. As a result, the email addresses of the recipients were revealed and 166 individuals could be identified or potentially identified to be living with HIV. The ICO fined the Central YMCA £7,500 for the data breach of sensitive information which denied basic dignity and privacy for individuals living with HIV. Here, the Commissioner also used his discretion under the ICO’s public sector approach and reduced the fine which was initially recommended to be £300,000.
South Tees Hospitals NHS Foundation Trust (the Trust)
In November 2022, an employee of the Trust sent a standard letter to the father of a child patient informing him of an upcoming appointment. The appointment letter, however, was sent to the wrong address and was sent to the family of the child’s mother. This incident caused significant distress and upset to the patient and the family. The ICO launched an investigation and found no evidence of the Trust having a formal documented process or procedure in place. The ICO issued a reprimand to the Trust and advised that a formal written procedure be put in place to mitigate risks and ensure correct contact details were used.
The above cases demonstrate the need for organisations to have breach detection, investigation and reporting procedures in place and to notify relevant authorities or individuals with undue delay, where this is required. They also demonstrate that financial and reputational damage can be limited if an organisation has robust policies and procedures in place. If you have any questions about data breaches or would like assistance with implementing data protection policies and procedures within your organisation, please contact a member of our Data Protection Team. Our team is more than happy to assist and can provide a short assessment tailored to your organisation’s needs.