Be exact when you redact - data protection compliance lessons learned from TSol breaches

The Information Commissioner’s Office (ICO) has taken enforcement action in response to another public sector data breach, this time involving the Treasury Solicitor’s Department (TSol).  Between 2011 and November 2012, the Department incorrectly disclosed information of individuals to third parties on four separate occasions.  Katherine Eyres reflects on whether there are any lessons to be learned.

[caption id="attachment_5171" align="alignright" width="300"]© opensource.com 2011 © opensource.com 2011[/caption]

How did the breaches happen?

The ICO was prompted to take enforcement action against TSol following a series of data breaches between 2011 and 2012 involving sensitive personal data in contravention of the Data Protection Act 1998 (DPA 1998).

TSol is the main provider of legal services to central government.

In three of the incidents, case files relating to various litigation cases containing personal information of third parties were sent to the claimant’s solicitors and then on to the claimant.

One other incident involved information about an unfair dismissal case being sent to the wrong person—the bundle of case papers contained the personal data of an individual involved in a separate claim.

The data concerned was ‘sensitive personal data’ (as defined in DPA 1998, s 2), as it related to ‘proceedings for an offence committed or alleged to have been committed by’ the affected data subjects.

What should have happened?

The ICO found TSol’s data handling processes fell short in relation to its procedure for preparing documents for disclosure.

What should have happened, in the first three incidents, was that the third party details should have been redacted before the case files were sent to the other side.

In the fourth incident, the recipient address details should have been carefully checked to ensure the case papers were disclosed only to the intended recipient.

The ICO insinuated that, as a legal function, TSol should have known better. ICO head of enforcement Stephan Eckersley said:

‘The nature of the work carried out by the Treasury Solicitor’s Department means that they should have recognised that they were failing in their legal duty to keep people’s information secure. However, delays in addressing these issues allowed further breaches to occur, which has resulted in today’s agreement between our office and the department to improve its practices.’ 

What has TSol undertaken to do differently in future?

The undertakings given by TSol aim to address these areas, by reiterating TSol’s obligations to ensure personal data is processed in accordance with the Seventh Data Protection Principle and, specifically that:

(1)           a clear, documented procedure for staff to follow when preparing information for disclosure is implemented within 6 months. This should incorporate a defined checking process with emphasis on the steps to be taken prior to release. The procedure should account for both sensitive personal data and personal data relating to third parties;

(2)           the communication requirements between Junior and Senior lawyers carrying out the disclosure process is defined by a structured, formal procedure with clear lines of communication and implemented within 6 months. The responsibilities of staff members should be clearly explained within this procedure; and

(3)           a mandatory and comprehensive training programme regarding compliance with the Act for all new and existing staff is put in place within 6 months. This should include how training will be presented, tested, refreshed and the frequency of delivery for each.

What factors are likely to have influenced the enforcement action taken by the ICO?

The fact that TSol itself notified the ICO of the breaches is likely to have been a significant factor in why the action taken by the ICO was not more severe.

Also, the breaches were relatively contained—the data controller knew where the data had gone and only a small number of data subjects were affected. Contrast this with other high profile breaches involving local authorities such as Brighton and Sussex University Hospitals NHS Trust and Glasgow City Council. (However, against this also has to be counterbalanced the fact that in this case the data was of a sensitive nature.)

Additionally, TSol acted quickly to retrieve the data once they realised what had happened.

It was also a case of some protection measures are better than none. The fact that TSol did have data protection compliance processes would have also made a difference—in the first three incidents, the TSol lawyers knew they were supposed to redact personal data and made an attempt to do so, they just missed some bits.

Had TSol not taken these steps, and subsequent remedial action, it would be in receipt of an enforcement notice. Enforcement notices served under  DPA 1998, s 40 impose a more constraining process for enforcing compliance with the relevant data protection principles that have been contravened and/or imposing restrictions on a data controller’s data processing activities.

What next for TSol?

TSol has six months to implement the processes set out in the undertaking, so needs to move fast to get its house in order from a data protection compliance perspective.

At the time of writing this post, TSol’s Code of practice on personal data was missing in action on the Department’s website, with a ‘This page cannot be found’ error message appearing. Hopefully this is a sign that this is currently under review, along with TSol’s processes for dealing with personal data and not another potential headache for TSol...?

What should public sector lawyers (and lawyers in general) take from this?

  • Be exact when you redact—when cleansing documents of third party personal data, ensure this is done thoroughly and systematically.
  • Don’t cause offence—litigation documents may contain ‘sensitive personal data’, which needs to be treated with even more care than ‘personal data’—the sensitive personal data in this case implicated the affected data subjects in relation to the commissioning of an offence.
  • Follow the guidelines—draft and implement comprehensive guidelines about how to prepare documents for disclosure and ensure the team all grasp these—these should be documented and set out in a way that is easy to understand.
  • Train and then train again—reinforce written guidelines with training and regular refresher courses and run programmes for both existing staff and new joiners.
  • Don’t wait for the ICO to come knocking—be proactive in self-reporting data breaches.
  • Keep confidential client information…confidential—aside from the requirements of DPA 1998, solicitors remain bound by obligations of confidentiality to their clients.  So,  if you disclose confidential client information in breach of confidence, you also risk a claim from your client.

Data protection compliance is possibly the one situation involving individuals where to be missing 'without a trace' is a good thing.

Further reading for Lexis®PSL IP & IT subscribers:

For guidance on data protection and the public sector, see:

Data sharing in the public sector—flowchart

Sharing data in the public sector

For a data security policy, see Data security policy to assist staff to comply with the requirements of the seventh principle.

For regular updates about proposed European Data Protection reform, see: Horizon scanning – cases.

Relevant Articles
Area of Interest