The UK GDPR places an obligation on anyone who is processing personal data to ensure that they are doing so with appropriate security in place to prevent any personal data from being deliberately or accidentally compromised. Article 5(1)(f) of the UK GDPR is known as the:
“integrity and confidentiality” principle, confirms that personal data should be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Whilst the UK GDPR does not confirm what measures an organisation should have in place, Article 32(1) confirms that the measures should “ensure a level of security appropriate to the risk”. When assessing this, organisations should give thought to the data that they hold, how sensitive or confidential it is, and the damage or distress that could be caused if that data was compromised.
It is important for organisations to have appropriate measures in place as the Information Commissioner’s Office (ICO) is required to consider this when deciding what level of fine to impose following a breach (if any). If the ICO finds that an organisation did not have the appropriate technical or organisational measures in place, the fine imposed is likely to be more than if they did.
HCRG care group
Recently, a ransomware group published details on the dark web, confirming that they had taken more than two terabytes of sensitive personal data from HCRG Care Group’s systems. HCRG is one of the largest providers of community healthcare in the UK. The ransomware group confirmed that the types of data allegedly taken included employees’ personal data, sensitive medical records, and financial records.
HCRG have confirmed that they have reported the breach to the ICO. As confirmed above, the ICO when carrying out their investigation, will need to assess whether the measures put in place by HCRG were sufficient and appropriate, giving consideration to the type of data processed by HCRG. As a healthcare provider, HCRG processes special category data. The presumption is that this type of data needs to be treated with more care because of the nature of the data and the likely impact on the fundamental rights of an individual if that data was compromised.
HCRG have made the following comments in relation to the breach:
“We are investigating an IT security incident and have recently identified a post on the dark web by a group claiming responsibility. Our team has not observed any suspicious activity since the implementation of immediate containment measures.
We are working with external forensic specialists to investigate the incident.”
Comment
This is a reminder for all organisations to consider the security and organisational measures that they have in place and consider whether they are appropriate in the context of the data that they process.
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our our online enquiry form.
Contact us