Understanding data breaches and ICO investigations
By Antonia Noble, Barrister and Founder of Carter Noble
Schools large and small can fall victim to data breaches, either through malicious attack or employee error. Shockingly, there are more than 60,000 hacking attempts every day in the UK.
In an increasingly digital age, we’re familiar with data breaches. Many have occurred in the last decade alone. Travelex, Uber, Crown Prosecution Service, and the NHS are all high-profile examples. All incurred significant fines and, in Uber and Travelex’s case, damage to share price. But it’s the human cost that you can’t put a price on.
For example, Brighton and Sussex University Hospitals NHS Foundation Trust were fined £325,000 by the ICO in 2012 for the loss of highly sensitive personal information about patients and staff. The Trust hired a contractor to destroy some old hard drives containing sensitive information. Instead, the contractor sold the hard drives on eBay. The Information Commissioner’s Office (ICO) said the data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. Your school’s data will likely contain similarly sensitive information.
The consequences of breaches are grave, both for your school and the individuals impacted. But what are data breaches exactly? What happens in the event of a breach? And how can your school protect itself against them?
Defining a data breach
Put simply, a personal data breach is an incident in which information is accessed without authorisation, or where data is lost. The definition you’ll be familiar with is an incident leading to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.” Data breaches can be a costly expense that can damage lives and reputations and take time to repair.
Importantly, breaches can occur in a number of ways, both as a result of accidental and deliberate causes. These include:
- IT breaches, including hacking, phishing, trojan horses, worms etc.
- Loss of data through a power outage, fire or flood (especially problematic when files are retained in paper form only)
- Stolen or lost device, i.e. a phone left on a bus that contains accessible stored data
- Information given to people who don’t need to see/know it, i.e. a parent being sent an email about the behaviour of a student who isn’t their child.
Reporting breaches
While you’re not obliged to report every breach, under UK GDPR you do have a duty to report certain personal data breaches to the relevant supervisory authority (the Information Commissioner’s Office).
GDPR states that incidents only need to be reported if they “pose a risk to the rights and freedoms of natural living persons.” Risk here refers to the possibility of the victim(s) facing economic or social damage (such as discrimination), reputational damage or financial losses.
If this is the case, then you must report the incident to the ICO within 72 hours of first becoming aware of the breach. This doesn’t leave a lot of time. Your school needs to be able to act quickly and inform the school’s senior leadership team, headteacher and/or data protection officer (DPO), as necessary.
This also extends to the individuals’ impacted. Individuals must be informed without delay if there is a high risk of their rights and freedoms being adversely affected.
In planning for a situation like this, it’s recommended that your school has robust processes in place and a statement/response ready to be issued, both publicly (potentially) and to individuals. Reacting to these situations as they happen, without having a solid system in place, can lead to serious stress and opens up the very real possibility of further mistakes being made.
How breaches are investigated
Under GDPR the ICO has responsibility for the investigation and pursuance of data breaches. To do so, it has powers of entry and inspection and can also apply to the courts for search warrants. Below I’ve summarised what the ICO’s powers give it the ability to do:
- Order the controller to provide any information that the ICO requires for the proper performance of its tasks
- Carry out data protection audits
- Carry out a review of certifications issued
- Notify the controller and/or processor of any alleged infringement of UK GDPR
- Obtain access from the controller and/or processor to all personal data and all information necessary for the ICO to perform its tasks
- Obtain access to any premises of the controller and/or the processor, including access, as required, to data-processing equipment.
The ICO also has powers to:
- Serve information notices which require controllers and processors to provide information, often within a specific timescale. In some instances, these can be “urgent” notices which require a response within 24 hours
- To serve assessment notices allowing the ICO to investigate whether the controller and/or processor is compliant with data protection legislation. These may require the controller and/or processor to provide access to premises and specified documentation and equipment.
The ICO’s enforcement/corrective powers
The ICO has a range of enforcement powers at its disposal to use where appropriate. For example, it can issue warnings, reprimands, and enforcement notices (explained below) that require you to take, or refrain from taking, particular steps or actions.
The ICO’s enforcement notices allow it to order:
- Data controllers and/or processors to comply with their data subjects requests to exercise their rights (i.e. Subject Access Requests)
- Data controllers and/or processors to bring processing operations into compliance with UK GDPR, where appropriate, in a specified manner and within a specified period
- The controller to communicate a personal data breach to affected data subjects
- A temporary or definitive limitation, including a ban on processing
- The suspension of data flows to a recipient in a third country or to an international organisation
- The rectification or erasure of personal data, or restriction of processing where appropriate
- A certification body to withdraw the certification itself.
Typically, these powers of enforcement are specific and time critical, with remedial actions often needed to be completed within 28 days. Failure to do so can result in a fine. Enforcement notices are also posted on the ICO website, meaning they’re publicly available and, naturally, available to the press, which can cause significant reputational damage.
The fines the ICO imposes should be “effective, proportionate and dissuasive” and determined by a number of factors, including the nature and gravity of the infringement or whether or not the infringement was negligent or intentional. (For more information on the factors that determine the severity of a fine, see page seven of this ICO example penalty notice.)
Crucially, fines are divided into two administrative types:
- The first, the largest fines at a higher level up to £17.5m or 4 per cent turnover, includes infringements to data subject rights and basic principles of processing. (See ICO’s £20m fine for British Airways, its biggest to date.) For example, consider whether you have legal ground for processing the data and/or transferring data outside of the EEA (European Economic Area) or UK, where there isn’t adequate safeguards
- The second, lower fines up to £8.7m or two per cent of annual turnover, are imposed where a particular requirement of GDPR has not been complied with. For example, data processing records may not be complete or a DPO appointed incorrectly.
What an ICO investigation looks like
An investigation by the ICO will be conducted for a single reason: to ensure an organisation is acting within the framework of the law. They are empowered to impose enforcement action and fines if they deem it necessary (as explained above).
90% of ICO investigations are completed within six months. Within which time, the ICO is responsible for investigating potential infringements of the Data Protection Act 2008, GDPR, NIS Regulations 2018 and Privacy and Electronic Communications Regulations 2003. It can also investigate criminal offences under the Freedom of Information Act 2000. (Note: NIS Regulations 2008 aren’t directly relevant to schools, but they are relevant to Cloud providers.)
The ICO’s work is divided into a number of specialist teams, including Cyber Incident Response and Investigations Teams (CIRIT) and Privacy and Digital Marketing Investigations Teams (PDMIT). More information on the differing responsibilities, objectives and processes of the ICO’s specialists teams can be found here.
Cases can come to the attention of the ICO via the affected organisations themselves, referrals from other departments, the media, or complaints from affected members of the public (i.e. your data subjects).
In summary
An investigation by the ICO can be serious, both for your school and any individuals impacted. When it comes to breaches, prevention is better than the cure. Implement robust data protection policies and processes and appoint an experienced DPO to help minimise the chances of a breach occurring in the first place.
Incidents do happen, however. So be prepared. Understand what can lead to an ICO investigation, what one looks like, and what the consequences can be. Then create a comprehensive action plan that can be quickly and effectively rolled out in the event of a breach and subsequent investigation.