A data projection Enforcement order has been issued to Guernsey’s Committee for Health and Social Care concerning their inadequate data protection training and governance.
Guernsey’s Data Protection Authority (DPA) initiated two independent investigations. Both investigations focused on whether the Committee for Health and Social Care’s (HSC) processes for staff training and personal data security, were robust enough.
The investigations were launched following concerns brought to the DPA’s attention by two complainants. One complaint related to unauthorised access to medical information held on hospital systems, whilst the other complaint related to an HSC staff member using a service-user’s device for work purposes.
Both complaints resulted in investigations that were lengthy and complex and involved significant communications with HSC.
The first complaint was about a number of incidents whereby the Complainant’s medical record was accessed without apparent justification. The investigation found that training provided to HSC staff members was not robust in either its quality, or the process by which it is rolled out to staff. A number of the staff members who had accessed the medical record in question had not done the requisite training mandated by HSC and the DPA determined that the processes to monitor and enforce the completion of the mandatory training were ineffective.
The second complaint related to HSC staff members use of a service-user’s personal device for work purposes, this arose out of poor governance. The investigation determined that one of the primary reasons for the device being used to carry out work, was that the option to utilise a workplace device was not available to the staff members in question. This was, in part, caused by the fact that a member of staff had left HSC’s employment without returning the HSC issued laptop that had previously been utilised by the staff members in question.
HSC was unaware that the device was missing at the time due to the leavers process that was in place having not been correctly followed.
The DPA concluded that had a robust process been in place and implemented, this incident may have been avoided entirely. It is understood that workplace devices have since been issued.
In conclusion, the DPA determined that HSC had:
- failed in their duty to comply with the data protection principles,
- failed to take steps to ensure compliance with the data protection principles, specifically ensuring that processes regarding staff training and staff leavers policies were robust enough, and
- failed to take reasonable steps to ensure the security of personal data they were processing.
Why is this a problem?
HSC processes large amounts of very sensitive personal data raising the risk level of any processing and requiring more robust compliance as a result. Having concluded the two investigations, the DPA determined that HSC’s governance fell short of expected standards. In both circumstances relevant to these investigations, HSC were unaware of the issues until the Complainants themselves raised their concerns.
What has happened as a result?
The DPA issued an enforcement order to the Committee for Health and Social Care to address the identified shortcomings in its data processing practices. This means that HSC will have to demonstrate, by 31st March 2023, that it has improved those processes.
Lessons to be learned
Process and governance matters. The greater the potential harm, the more robust the process should be. It should be noted that even minor procedural missteps can have significant and sometimes entirely unexpected consequences.
It is not enough to react to data protection issues, controllers must be proactive in how they assess and manage risk in their organisations.