Council data breach to taxi firms
Was there an effective Data Privacy Impact Assessment?
David Parish – Information Security Consultant
The media reported a potential data breach last month when as part of a contract tendering process a data set was sent by e mail to 27 Taxi firms tendering for a Council contract to provide transport services to some of the most vulnerable people in society, including the elderly children and containing medical data .
After realising the error they tried to retrieve the situation by recalling the email some 24 hours later.
The council are required as part of their tendering process to tender for contracts that exceed a financial threshold to ensure transparency. They therefore have a lawful basis as required by GDPR, reflect on the 6 lawful bases that the GDPR require you to establish prior to processing data. Principle 1 of the GDPR and dependent on your business you should now be establishing or ideally have established the areas, as not all 6 are required, that you are operating.
The GDPR and in fact current legislation makes a requirement for a Data Privacy Impact Assessment on the processing of data in new projects and also when handling / processing specific high risk data and in our scenario health data.
The purpose of the DPIA is to identify the potential impact on an Individuals Privacy and ensure where required that the Risk is mitigated if your initial planning cant mitigate the risk sufficiently you should not continue processing or inform the ICO.
Whilst not knowing sufficient facts and it would be inappropriate to base the blog on media reporting lets make some assumptions to identify some potential solutions.
To enable the tender process to be effective the Taxi firms required more information than just collection and destination.
They may have needed to know details of potential disabilities vulnerabilities to estimate effectively how long to collect an individual how long to drop off.
The information is held for the legitimate purpose by the council but a method of sanitisation , risk ranking and encryption could have been developed to enable the process to take place.
At the first stages of the tender did they minimalize the data set i.e. remove name apply some filters on a minor etc.? The more detailed information that may have been required for the successful firms would then be able to be managed by more secure means than an e mail attachment.
The contract should have contained the security questions and demand compliance with the maintenance of the GDPR rights afforded to the individual.
It may have been a genuine mistake however over 60 % of data breaches are human error the GDPR provides clear and unequivocal guidance on what is allowed.
We haven’t mentioned the Article 29 working party up dates in this blog but it is interesting that the ICO has published its consultation very recently on how to Manage Children’s data which will form additional guidance, I may suggest a visit to the ICO web page to see the first draft of the guidance and what it looks like would be timely.
Additionally if you are following some of the more detailed guidance produced from the ICO and particularity the GDPR Implementation you need to be aware that the document is being continually updated by the ICO , the unfortunate issues is the ICO do not highlight the paragraphs of key pieces that are updated. So stay with the GDPR Academy and we will do some of that will be updated in our training material or via our updates.
I think over the next few weeks we may need to look deeper at lawful basis and particularly Consent as this is proving to be especially topical and the Article 29 guidance is lengthy but it must for those involved in marketing and recruitment be analysed in conjunction with GDPR.
Remember – keep an open mind and there will be peaks and troughs in this journey.
by David Parish, Information Security Consultant – IBITGQ Certified ISO 27001 and GDPR implementation Specialist MSC Security and Risk Management