[UK/India] – Health Company Fined by UK’s ICO

  • Subcontractor based in India to process sensitive personal data without adequate data processing / data transfer grounds
  • Lack of contractual definition of adequate technical and organisational measures in India
  • Sensitive personal data (with high severity) sent via unencrypted email
  • Sensitive personal data on  FTP server without restricted access controls
  • Patient found his/her data via Internet search

https://www.hldataprotection.com/2017/03/articles/international-eu-privacy/health-company-fined-by-uks-information-commissioner-office/

(from 2015) Rethinking Personal Data Breaches (EU)

So as the world stands still – and waits for GDPR to pass the European Parliament vote in a few days, and just before we are all hit by a wave of audit/certification/consulting firms selling their services – here’s a quick look at Personal Data Breaches.

According to Opinion 03/2014 of the Article 29 Working Party – which back in the days was just an opinion, but now gets quite a bit more muscle: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp213_en.pdf

Most people think of a data breach as an event in which data is accessed by an authorized person, resold on the darknet, made public by some creant, etc..

The Article 29 Working Party took a much more holistic view – and includes loss of integrity and timely accessibility along with the loss of confidentiality.

Opinion 03/2014 gives examples of data breaches, and walks the reader through accessing the impact.  While the GDPR will provide us with more details and requirements (e.g. to notify within 72 hours), the Opinion does a good job illustrating the underlying thinking.

So quoting from the Opinion:

Case 1: Four laptop computers were stolen from a “Children’s Healthcare Institute”; they stored sensitive health and social welfare data as well as other personal data concerning 2050 children.

  • Potential consequences and adverse effects of the confidentiality breach:
    The first impact is a breach of medical secrecy: the database contains intimate medical information on the children which are available to unauthorized people. [..]
  • Potential consequences and adverse effects of the availability breach: 
    It may disturb the continuity of children’s treatment leading to aggravation of the disease or a relapse. [..]
  • Potential consequences and adverse effects of the integrity breach:
    The lost data may affect the integrity of the medical records and disrupt the treatments of the children. For example, if only an old back-up of the medical records exists, all changes to the data that were made on the stolen computers will be lost, leading to corruption of the integrity of the data. The use of medical records that are not up-to-date may disrupt the continuity of children’s treatments leading to aggravation of the disease or a relapse. [..]

So the overall paradigm is a bit different than elsewhere. – It will be interesting to see how many changes were made last minute to the GDPR, but assessments like the one above should be common place in 2018 and beyond.

Privacy as a Service in Digital Health

.. paper by Xiang Su, Jarkko Hyysalo, Mika Rautiainen, Jukka Riekki, Jaakko Sauvola, Altti Ilari Maarala, and Harri Honko

at https://arxiv.org/ftp/arxiv/papers/1605/1605.00833.pdf

I still need to let it truely sink in before I’m ready to comment on it – but I am glad that this kind of privacy design thinking is now happening. GDPR offers some challenges and many opportunities. Having a technical layer to complement the privacy processes, we’ll all have to put in place can be very helpful. Let’s hope for some reasonable open data scheme to make the legal aspects more digestable to tools and algorithms.

Let’s just hope, it won’t go the way of the P3P protocol.