Last week, the UK’s Information Commissioner’s Office (ICO) published a monetary penalty notice which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
In this instance, several data protection compliance issues were at stake – HCA had engaged a subcontractor based in India to process sensitive personal data without putting an agreement in place that met the requirements of the Data Protection Act 1998 (DPA) and without taking steps to ensure an adequate level of protection for data transferred outside the EU. One of HCA’s hospitals had recorded doctors’ consultations with patients discussing very sensitive and personal matters concerning IVF treatment and then sent the audio recordings by email in unencrypted form to the Indian subcontractor. But HCA had not required the Indian subcontractor to take appropriate security measures to protect the audio recordings which had been held by the subcontractor on an unsecured FTP server without restricted access controls. Consequently, a patient had been able to locate the sensitive data through carrying out an Internet search.
HCA had been relying on this process for obtaining transcripts of audio recordings back from the Indian subcontractor since 2009 and it was only in 2015 when they received the patient’s complaint that they acted to remedy the situation. HCA had not audited the Indian subcontractor’s practices during this time which contributed to the ICO’s view that HCA had been negligent. In particular, it was telling that HCA had policies in its own UK hospitals requiring emails containing personal data to be encrypted and for FTP servers to be secure but had not required these technical measures from its Indian processor. As such, in the eyes of the ICO, HCA ought reasonably to have known that the audio recordings would be vulnerable to a security breach in the absence of appropriate security measures.
It was a matter of course for the ICO to identify this contravention of the DPA as serious given the sensitivity and confidentiality of the data. Furthermore, it was a contravention that would cause distress to patients given the intimate nature of the medical matters being discussed and the possibility that unauthorised persons would be able to access their data. Throughout the period of time up to the complaint the ICO considered that HCA had failed to take reasonable steps to prevent the contravention. Although HCA had voluntarily reported the incident to the ICO, had been fully co-operative, and had taken remedial actions, these mitigation steps did not stop the ICO from imposing a substantial monetary penalty. Furthermore, the failure by HCA to ensure an adequate level of protection for data transferred outside the EU to India was an additional serious breach.
This incident is a reminder to all organisations working in healthcare of the higher regulatory stakes at play when processing health data. In particular, healthcare organisations that engage multiple subcontractors to provide support and technical services are expected to carry out proper due diligence on data processors and put in place a contract that imposes robust obligations on the processor. The provisions in such contracts will become even more significant once the General Data Protection Regulation (GDPR) applies across the EU from May 2018 since the GDPR stipulates certain mandatory provisions in controller-processor contracts. Likewise, processors will be required to notify controllers of data security breaches without undue delay and controllers will be required to notify the data protection regulator within 72 hours of becoming aware of a breach unless the breach is unlikely to result in a risk to individuals – an exception that could not be relied on in this instance with the HCA given the lack of encryption and the sensitivity of the data.
But the scene will also shift in a new way since, unlike under current EU data protection law, under the GDPR both a controller and processor can be fined by a data protection regulator for serious contraventions of their GDPR obligations. So a processor can be fined up to 2% of total worldwide annual turnover for a serious failure to keep personal data secure (as well as face compensation claims from individuals) and up to 4% of total worldwide annual turnover for failing to comply with obligations concerning international data transfers. However, non-EU processors (such as in this case with the Indian subcontractor) are only subject to the GDPR (and therefore liable to be fined) if their processing activities relate to the offering of goods or services to individuals in the EU or monitoring the behaviour of individuals in the EU. On the facts of this incident with HCA, it seems unlikely that the Indian subcontractor would be directly subject to the GDPR and therefore unlikely that the Indian subcontractor could itself be fined by an EU data protection regulator. So if this incident were to happen once the GDPR is in effect, HCA would be (as is the case here) fined for all aspects of the breach, including where the Indian subcontractor has itself been negligent. Probably the only way that HCA would be able to recover some or all of the cost of the fine from the Indian subcontractor would be under its contract with the Indian subcontractor. Consequently, it becomes even more important to HCA that the contract with the Indian subcontractor contains sufficient indemnity and liability provisions.
Again, this decision acts as a reminder to all controllers processing sensitive data to have procedures and policies in place when engaging processors that ensure data protection compliance requirements are incorporated into the due diligence and contract stages as well as to carry out a thorough consideration of the potential worst case scenario in the event of a security breach.
