Monthly Archives: June 2012

ICO Fine of the NHS Trust – Who Owns the Risk?

If you have an NHS card, receive NHS treatment and have ever been to hospital, raise your hand…either a lot of us all want to leave the room at the same time, or this particular kind of breach can affect pretty much everyone from the UK.

From the ICO website:

“NHS Hospital Trust  receives a Civil Monetary Penalty (CMP) for serious data breach.

Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) said today.

The fine is the highest issued by the ICO since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.”

You can read the full piece here.

Discussion of this penalty in various places online, has raised a variety of questions and opinions. Some people feeling, even within the Data Protection community, that this was ‘too harsh’ (source: Linkedin European Data Protection Forum discussion) Others, with a due sense of subject fatigue, feeling that not only was it right but that it is a bit more like the kind of penalty the ICO needs to be handing out and not just to the public sector either.

Looking at this particular breach and reading the arguments that the penalty was too high makes me wonder if people understand the risk scenario. The task of destroying these hard drives was out-sourced. They were still owned by the trust and they were still guardians of this data.

It looks like a failure of Risk Management that this occurred and one would question if proper due diligence was performed on the contractor tasked with this. A decent Risk Assessment would have suggested that they either sanitise the data prior to disposal or procure an on-site disposal service – the supplier of which should have been sourced from a reputable list like SEAP. I guess you get what you pay for.

The bottom line is the buck stops with the Trust, they were guardians of this data. They out-sourced the task not the risk or accountability. If the Chief Executive is the SIRO, which they should be, should they be made personally accountable for incidents like this? CESG guidance is very clear on how highly sensitive data should be handled in these circumstances, so there really is no excuse.

Out-sourcing and Risk

Recently we have been reminded frequently about the growth in outsourced services; Computer Weekly’s recent report showed the continued growing appetite for outsourcing across the globe and both PwC ( and CIF ( have lately demonstrated the growth in these markets.  If you are entrusting someone else with your information and information processing facilities clearly this has some implications for your security.  But what are they…?

Can you see and understand the whole Risk picture?

Well, first of all not all arrangements with external parties are equal.  Clearly the persons hosting your hotel reservation and train fare booking systems are important, but probably not as important as those hosting your critical business systems and client information.  Security is a risk based discipline and before you start making decisions about what security controls you should and should not put in place you should risk assess the third party.  Examples of things you should consider include the type and sensitivity of the data, the extent and maturity of their existing security controls, any legal and regulatory requirements you or your clients are required to meet and the impact of not having access to your information and information processing facilities would have.

Any agreement with a third party involving their access to your information and information processing facilities should be comprehensive and (as a minimum) include the physical and logical controls you expect to be maintained around your assets, the requirements you expect of their personnel (if you vet your staff then you might think it pertinent to make sure they do their’s?), incident and weakness reporting procedures to you, their procedures for access to and segregation of your assets, applicable SLAs and your right to audit them.  And once you have entered in to agreement with them make sure you enforce your right to audit!

If your outsourcing strategy does or may include the use of Cloud based services read our short guide to Cloud security

Security for UK legal professionals

We are delighted to have a guest post from Peter Harthan of  Riverview Solicitors

The news that the Information Commissioner’s Office (ICO) has served its highest-ever civil monetary penalty (CMP) is the starkest warning yet of how severely it will punish businesses who fail to take their data protection responsibilities seriously.

The ICO’s penalty of £325,000 on Brighton and Sussex University Hospitals NHS Trust for what it describes as a serious breach of the Data Protection Actfollows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV – on hard drives sold on an internet auction site in 2010.

The Trust plans to appeal the decision but it is a timely reminder that complying with the Data Protection Act is not optional. If you’re ever unsure of your responsibilities then consult your solicitor or even seek advice from…

View original post 899 more words

eharmony and Linkedin password breach: Master Criminal (OHAC) WLTM Professional Person…

After eharmony and LinkedIn’s recent well-publicised losses of customer passwords we were left wondering in the Advent office if there was a Cyber criminal out there who was a bit lonely and had an unrequited penchant for professional types.  Then we got real.

A Master Criminal and his Cat.

However delightful it is to imagine 007’s nemesis Ernst Blofeld and his cat sat at home with their shark pool, hoping to hack their way to friendship (possibly leading to more),  I am afraid the reality is far more prosaic; too many of us use the same or very similar passwords for e-services like these and our online bank – or other internet service providers in which we trust sensitive personal and commercial information – and that is what they are really after.  So here’s our guide to stopping this happening to you and foiling lovestruck super criminals everywhere.

  1. Don’t use the same or similar passwords for different things, whether they are personal devices, professional equipment, internet services or whatever.  I know it makes life easier but you wouldn’t insist on the same key for your front door, your car, your garden shed and your office would you?
  2. And when you pick passwords, make them strong.  Avoid using proper names, ensure they are at least 8 characters long, don’t use consecutive characters (e.g. Advent99), and use a mixture of upper, lower, alpha and numeric characters.
  3. Once you have your strong passwords don’t write them down (please!).
  4. Likewise, don’t tick check boxes saying ‘Remember me?’
  5. And finally, responsible and reputable organisations do not provide hyperlinks to their users to click on (usually in emails).  If you click on one of these links it will probably bring up a really (and I mean REALLY) convincing mock-up of the service provider’s website asking you to give personal information or your password and, as you can imagine, if you do so the rest is history….

Mark, aged 35-45

Cookies and Implied Consent

The recently much publicised ‘Watering Down’ of the UK implementation of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which were enacted on 25th May 2011 through the Privacy and Electronic Communications (EC Directive)  (Amendment) Regulations 2011 (PECR 2011 for short).

Much has already been written about the lack of compliance of websites, and those offering subscriptions to online services ahead of the 26th May 2012 deadline for enforcement, which has just passed.

The simple answer is that the ICO have changed their position on ‘Consent’ between their earlier, and their most recent statements of the last few days.  The reasons for this are irrelevant if you are the one subject to the ongoing enforcement enquiries of the ICO, seeking evidence as to what action you have ‘already’ taken towards your being compliant with PECR 2011.

So what do you need to know?

√      Audit what types of cookies you have got, why and where they are used within your website;

√      Analyse the intrusiveness of your cookies; and

√      Depending on the intrusiveness of your cookies, put in place appropriate notices and consent messages.

How does the change in the ICO’s position affect you today?

The updated guidance provides additional information around the publicised issue of ‘Implied Consent’, and the ICO says:

  • ‘Implied consent’ is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on ‘implied consent’ you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that ‘explicit’ consent is more appropriate.

The ICO themselves have a prominent text box at the top of every page which says “The ICO would like to place cookies on your computer to help us make this website better.  To find out more about the cookies, see our privacy notice (which is a Hypertext Link to their full policy description)” with a box for the User to tick if they agree with the statement “I accept cookies from this site” and a button to ‘Continue’ either way.  The ICO don’t mind anyone copying their solution but point out they will monitor and possible amend their solution in the future.

This approach by the ICO clearly meets the 2 requirements of the Regulation 6, that you must provide clear and comprehensive information about any cookies you are using and you must obtain consent to store a cookie on a user or subscribers device.

When you are doing your cookie audit you need to collect the following data:

  • Identify which cookie are operating on or through your website;
  • Confirm the purpose(s) of each of these cookies;
  • Confirm whether you link cookies to other information held about users – such as usernames;
  • Identify what data each cookie holds;
  • Confirm the type of cookie – a ‘session’ or ‘persistent’ type;
  • If it is a ‘persistent’ cookie how long is its lifespan;
  • Is it a first or third party cookie? – If it is a third party cookie who is setting it; and
  • Double check that your privacy policy provides accurate and clear information about each cookie.

The fuss in recent days relates to the new position of the ICO that ‘Implied Consent’ for cookies is a reasonable proposition in the context of the Data Protection Act 1998 in particular Principle 3 – ‘Personal Data must be adequate, relevant and not excessive’.  What it is not is a euphemism for ‘Doing Nothing’, in many cases you may still need to follow the ICO guidance to be able to successfully rely upon it.  Whether the consent is ‘Implied’ or ‘Specific or Prior’ it must still be given by the user ‘Freely’ therefore some action must be taken by the ‘consenting individual’ from which their consent can be inferred.

The consenting individual must be ‘informed’ of that cookies are being set or information being accessed on their device and just visiting the website is insufficient, even when there is an explanation deep in the small online print, of the Policy or Terms and conditions statement.  If a user is browsing from page to page on a website by clicking a button the individual must have a reasonable understanding that by doing so they are agreeing to cookies being set.

Many comments and commentators have said that implied consent puts the onus on the User, the ICO does not share this view and have made it clear that the “understanding is all on the website operator’s side and the user  ‘giving’ consent is unaware that their actions are being interpreted in this way”.  Where ‘implied consent’ is being relied upon, the provider must ensure that clear and relevant information explaining to users what is likely to happen while the user is accessing the site, is made readily available them.  The ICO says that it does not feel it’s their place to determine exactly how the provider does this.

So if you want to know more about how to steer a safe path through this complex issue, come and talk to us.