One year until GDPR comes into force
What would the implications for the NHS have been as a result of the recent ransomware attacks if GDPR were in force now?
It is exactly one year until the General Data Protection Regulation comes into force in the UK, putting more responsibility in the hands of organisations that handle personal data.
The EU regulation, which will be adopted by the UK regardless of Brexit negotiations, seeks to tighten and enhance protection of personal data, and specifically imposes information security obligations aimed at ensuring that organisations adequately protect personal data in their control. Organisations that do not adequately protect their IT systems against cyberattacks could find themselves facing hefty fines which far exceed those that can be imposed under the current Data Protection Act.
So what of the ransomware attack on NHS organisations earlier this month in the UK? What might the implications have been for the affected NHS organisations under GDPR?
If the GDPR was in force today, and if the ransomware attack involved any loss or unauthorised disclosure of personal data, then affected organisations could be facing some hefty fines – especially where their information security measures were found to be deficient. They would also have to notify the UK Information Commissioner’s Office (ICO) and possibly affected individuals of the security breach. There would also be the potential for individuals who might have been affected by the attack to bring a claim against the relevant NHS organisation.
The GDPR information security obligations are actually very similar to those in the Data Protection Act. They ‘move with the times’ by requiring organisations to take into account the ‘state of the art’ (which would include keeping up to date with security patches and software versions). But the GDPR continues to allow the costs of implementation to be taken into account, which we might assume to be a pressing factor for NHS organisations. The GDPR introduces some specific examples of security measures organisations should consider implementing, including pseudonymisation and encryption of personal data, measures to enable organisations to restore availability of and access to personal data in the event of a cyberattack, and ongoing testing and evaluation of the security of IT systems. The security measures implemented by the affected NHS organisations, and any perceived lack of appropriate measures (such as continuing to use Windows XP when it was no longer supported by the provider, Microsoft, and the failure of some trusts to apply patches which have been made available to deal with known security vulnerabilities), would have impacted on any fine imposed.
If any personal data was accessed or put at risk as a result of the attack, the affected NHS organisations could potentially be facing fines of up to €20 million, rather than the current maximum £500k under the Data Protection Act. The GDPR sets out factors for the ICO to take into account when deciding whether to impose a fine and the level of any fine – so for example continued use of Windows XP and any failure to apply available security patches would be aggravating factors, whereas the apparent lack of any actual personal data being accessed, the steps taken by the affected NHS organisations to minimise the impact of the attack, and cooperation with the ICO would be mitigating factors. Perhaps notably, the fact that a fine would be paid out of public funds isn’t listed as a relevant factor in determining fines, although member states will have some discretion over whether and to what extent fines may be imposed on public authorities and bodies.
The GDPR contains new obligations for organisations to report personal data breaches to the relevant data protection authority within 72 hours unless the breach is unlikely to result in a risk to individuals whose data was breached. It would therefore have been important for the affected NHS organisations to have an effective incident management function in place to quickly establish the nature, extent and resulting risks of the breach - to determine whether a notification was necessary and if so, to communicate the required information to the ICO. They might also have had to communicate the breach to the affected individuals if the breach was likely to result in a high risk to those individuals.
Damage to individuals:
Under GDPR, individuals who have suffered material or non-material damage (such as distress) due to a breach of GDPR by an organisation holding their details will have a right to bring a claim in court. Some commentators have predicted a new “PPI” -type scenario in what could be a major risk area for organisations holding personal data.
The ICO is currently pursuing enquiries with NHS Digital, the National Cyber Security Centre and presumably the affected NHS organisations, and has stated that any appropriate next steps for the ICO will be decided once these initial enquiries are complete. We therefore await news of any enforcement action by the ICO in response to the cyberattack. If the ICO issues any enforcement notices against any of the affected organisations, compliance with those notices would be a relevant factor in determining fines for any future breaches of a similar nature. Further, under GDPR, there is much more emphasis on fines as a first line of sanction against breaching organisations, rather than the more staggered process (assistance, warning, enforcement notices and then fines) under the current DPA regime.
It’s worth pointing out that NHS England have said that that they have no evidence that patient data has been accessed as a result of the cyberattack. If this is the case, the implications under the GDPR for the affected NHS organisations would be minimised. However, there is also the NIS Directive, which is due to become law in the UK in 2018 and would apply to this sort of scenario, quite apart from GDPR and even if no personal data was lost. As operators of an “essential service”, NHS organisations will be expected to notify a competent authority (which may be a different body from the ICO) in the event of a security breach having a “significant impact”. The directive also contains its own requirements in respect of operators ensuring the security of their systems. It is not yet known what level of fine breaches of the NIS Directive will attract, as it is left to member states to set out the applicable penalties in the implementing legislation.
Hannah Kirby is a solicitor at Clayden Law, specialising in data privacy, information technology and general commercial law.