Management of a Data Breach under the GDPR
Insurance Company Staff caught spying on Celebrities’ Records In the headlines.... Details of online Sony video game players stolen Insurance Company Staff caught spying on Celebrities’ Records Sony Hackers Hit Up To 250,000 Irish Users in Data Theft Protecting privacy - A victory for us all Top telecoms firms fined for cold calling customers PlayStation Users on high alert after hacking Customer “harassed” by 225 calls from UPC 40% of tech firms view potential staff on Web Insurers to discuss Code after Report identifies breaches of data law Telecoms companies plead guilty to data protection offences Telecom companies plead guilty in unsolicited calls case PlayStation fans hit by Credit Card hacker Telecom firms prosecuted for sales methods Celebs in Insurance Spy Probe
1956
What’s next?
What constitutes a Data Security Breach? “a breach of security… leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data being transmitted, stored or otherwise processed. (GDPR Article 4.12) Remember: A Breach is not automatically an Offence!
Data Management Considerations Security v’s Access Creative and Compliant Users – Ambassadors v Assassins Protecting the Brand Processing Efficiency Retention Schedule – Keep? Destroy? Take the risk? Use of Test Data Formal engagement of third party Processors Policies and Procedures Staff Awareness-raising
How to respond to a Breach GDPR outlines specific obligations (Art. 33, 34) Controller must report to ODPC within 72 hours of becoming aware unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons Breach Notification Report now available on ODPC web-site 38-question form must be completed – 22 are mandatory New breach v update on existing reported incident (Indications of a public register of all those firms who have reported a breach)
Reporting a Breach to the ODPC Report should include at least: a description of the nature of the personal data breach… the categories and approximate number of data subjects concerned; and the categories and approximate number of personal data records concerned; the name and contact details of the data protection officer or other contact point where more information can be obtained; a description of the likely consequences of the personal data breach; whether or not the impacted data has been recovered; a description of the measures taken or proposed to be taken by the Controller to address the personal data breach, and, where appropriate, measures to mitigate its possible adverse effects and prevent recurrence.
Liaison with the DP Commission Guidance now available on the Commission’s re-branded website Indication that the DP Commission will issue a Case Reference for each Breach reported Keep it to the point, accurate and collaborative. Be Transparent. Guidance on impact – low, medium, high, severe Consideration of the vulnerability of the data subjects – minors, elderly, patients, etc. Separate consideration for breach involving law enforcement data
Reporting a Breach to the Data Subject “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” (Art. 34) Provide information on the following at least: the name and contact details of the data protection officer or other contact point where more information can be obtained; a description of the likely consequences of the personal data breach; a description of the measures taken or proposed to be taken by the Controller to address the personal data breach, and, where appropriate, measures to mitigate its possible adverse effects and prevent recurrence The ODPC may instruct the Controller to report to the Data Subjects
Implications of GDPR Principles for Health data 1 – Transparency – clear and open explanation to patients re the use of their data, provision of care, sharing of data with other entities, etc.; 2 – Specified Purpose (permissible under Articles 9(h) and (i); 3 – Minimisation – keep processing to a minimum, pseudonymisation where possible, avoid disclosure of records, test results, etc.; 4 – Accuracy and Currency – regular checks, e.g. during each GP visit, to ensure that personal data records remain up-to-date and fit for purpose; 5 – Retention and Deletion – HIQA guidance to keep medical records in perpetuity, particularly records regarding the provision of treatment to minors; 6 – Security – evidence of both organisational and technological measures in place to prevent unauthorised loss or disclosure of health records – must be robust and proportional; 7 – Evidence of accountability – DPIA process, Breach Notifications, appropriate contracts in place with Processors and peers (data sharing), Processing Activity Logs – mandatory given the ‘special category’ nature of health and biometric data
Medical Data – Article 9 Lawful Processing Conditions: Article 9 (h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; Article 9(i): processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; © Sytorus Ltd.
Additional obligations for Health data Key criterion for the completion of a DPIA (Art 35.3(b)): “processing on a large scale of special categories of data referred to in Article 9(1)”; Key criterion for mandatory appointment of a DPO (Art 37.1(c)): “the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9.1“
Exemptions for health data under GDPR Under GDPR, includes medical, biometric and genetic information; ‘Right to erasure’ does not apply where processing is necessary for the public interest in the area of health and provision of medical care; [e.g. a patient with a contagious illness cannot seek to have those records deleted where they remain a risk to public safety (Ebola, etc.)] Certain rights provided under the GDPR can be restricted in the public interest, “…including (processing relating to) monetary, budgetary and taxation matters, public health and social security” – Art. 23
GDPR Considerations, Restrictions and Exemptions DPIA – An additional obligation to consult with the ODPC where the proposed change to processing involves health or medical information (Art.36.5) Specific guidance from French Supervisory Authority (CNIL) regarding the conduct of clinical trials under the GDPR, with emphasis on explicit consent, minimisation of processing, and pseudonymisation; Recent HIQA guidance on Data Sharing Agreements between hospitals and other institutions which collaborate on patient care and treatment;
What should you do Company structure DPO DP Champions Implement… Privacy by Design/Default, Logs, Processes, Contracts… Tools Platform Demonstrate compliance Training DPO Onsite Online © Sytorus Ltd.
Logging of Processing Activities (Article 30) That record should contain, for example, The name and contact details of the Controller The purposes of the processing A description of the categories of Data Subjects The categories of recipients Transfers of personal data to a third © Sytorus Ltd.
Demonstrate Compliance Processing Activity Log Risk Log & proof of mitigation (for example, training) Incident log Breach log DPIA log Subject Access Request Log © Sytorus Ltd.
Thanks You Questions? © Sytorus Ltd.