25th May 2018 is a date etched in the memories of all dentists and practice managers; the date when the General Data Protection Regulations, and the Data Protection Act 2018, came into force. A little like the millennium bug, the furore surrounding this data protection revolution was immense. Was this just another layer of regulation for an already over regulated profession, or a fundamental change in the way that we treat personal data?
12 months on we look at the effect of the regulations and whether dental practices have got to grips with the changes and how the Information Commissioner’s office has been dealing with data breaches.
The General Data Protection Act, a brief history.
The GDPR and the Data Protection Act 2018 came into force on the 25th May 2018. The regulations were intended to provide Europe wide rules to protect individuals with regard to the processing of their personal data, and to regulate the movement of European citizen’s personal data across the world. The regulations included:
In practical terms the changes saw dental practices having to thoroughly overhaul the way in which they managed their patients’ data, adopting a much cohesive and considered approach to handling the personal data of their patients.
But has GDPR made a practical difference?
What do the statistics tell us?
The ICO data shows that between January 2014 and December 2016 Healthcare Organisations accounted for 43% of all reported data breaches to the ICO. In 2017 there were 2877 reported breaches, 1062 were from healthcare, 37%. The main types of breaches related to loss or theft of paperwork and data being sent to the wrong person by email or letter.
For the first “Post-GDPR” quarter, April to July 2018, healthcare data breaches accounted for 677 of 3146 reported breaches; just 21.5%. In the second quarter, August 2018 to November 2018 healthcare breaches accounted for 619 of 4056 reported breaches; just 15%. However, whilst the percentages may be going down, the overall number of breaches complained of has gone up significantly for all areas, including healthcare.
Does this mean that all the changes implemented by dental practices have been a failure? No, one reason for the significant increase in reported breaches is the general public’s greater understanding of their data protection rights. The message that your data is owned by you as an individual, and therefore should be controlled by you, is finally getting through. People are much more alive to the dangers of sharing their data freely, and know their rights. The ICO is now in the public lexicon and people know how to complain.
What the statistics do show is that there is still a great deal of room for improvement in our data processing systems and the training that we provide to team members.
What have the ICO been doing over the last year?
The short answer is, working very hard. The regulators have had to deal with the biggest changes to data protection laws in a generation, and are now coping with a significantly higher number of complaints. But along the way they have managed to catch a few of the major offenders.
In October 2018 the ICO issued the maximum fine possible (under the old regime) to Facebook for failing to protect its users’ personal information. The investigation found that between 2007 and 2014 Facebook processed the personal information of its users unfairly, by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had. Facebook failed to check the way in which app developers were using its platform. One developer harvested the data of over 87 million people worldwide.
In November 2018 the ICO fined Uber £385,000, again under the old regime, for data breaches that occurred between October and November 2016. A series of data security flaws allowed the personal data of around 2.7 million UK Uber customers to be accessed and downloaded by hackers. The records of almost 82,000 drivers were also stolen. Uber made matters much worse by failing to tell their customers or their drivers about the breach for over a year.
Whilst these fines may have had little impact on either of these multi-national companies, under the new regime the ICO can impose fines of €20 million or 4% of the company’s global turnover, whichever is higher. To put this into perspective, Facebook’s annual revenue for 2018 is reported as being $55.8 billion.
And whilst the ICO has not yet concluded any large scale investigations under the new regime, in January 2019 the French equivalent, the CNIL, fined Google €50 million for its lack of transparency and information regarding the processes it uses when processing data and the failure to provide data retention information. Furthermore, Google had not obtained valid consent, as users were not sufficiently informed, nor was the consent obtained specific or unambiguous. Google had continued to use pre-ticked boxes in certain circumstances, which drew particular criticism.
In reality, the 25th May 2018 was the start not the end of GDPR preparation. Practices must ensure that they are fully compliant and can evidence compliance in the event of a breach. Records of processing activity, privacy policies and notices must be reviewed and updated where appropriate. Staff must continue to be alive to the risk of breaches. Systems must be put in place to ensure that the risk of data breaches is reduced.
Julia Furley, Barrister