The recent personal data breach in the cabinet office highlights the importance of managing and processing personal data.
The personal data breach by the Cabinet Office in respect of those named in the 2019 New Year’s Honours List, which saw the addresses of virtually all those recognised with an honour published on the official government website, has once again shone the spotlight on the importance of managing the process of protecting personal data, ensuring that steps are taken in a prompt and efficient manner if a data breach takes place.
On 27th December 2019, a file containing the full list of recipients of a New Year’s honour was uploaded to the Government’s website. The file is alleged to have contained the details of virtually all recipients’ addresses, including those of celebrities such as the singer Elton John, cricketer Ben Stokes, presenter Gabby Logan and chef Ainsley Harriott. The details could be viewed by the general public for a number of hours before the file was eventually removed from the website the following day, by which time the error had hit the front pages of the national newspapers, calls for a public inquiry had begun and the breach had been labelled as a ‘complete disaster’ by a former Cabinet minister.
Chiefly, under the new data protection laws, it is vital than upon discovering any personal data breach which could risk an individual’s rights and freedoms, you must notify the Information Commissioner’s Office (‘ICO’) within 72 hours of you becoming aware of it.
When notifying the ICO, you must, insofar as possible, give details of the nature of the data breach including the categories and number of individuals and data records concerns, details of your business’ Data Protection Officer (if any), your understanding of the potential consequences of the breach and a description of the measures taken – or proposed to be taken – by the business in order to mitigate the breach.
If there has been a breach which is likely to result in a particularly high risk to the rights and freedoms of individuals, the legislation states that you must inform those concerned as soon as possible. The rationale for this is so that the individuals can then also take steps to protect themselves from the fallout from the data breach. The individuals concerns should be provided with a point of contact at the business (most likely the business’ Data Protection Officer), a description of the likely consequences of the data breach and a description of the measures taken – or proposed to be taken – by the business in order to mitigate the breach.
Reporting a notifiable data breach to the ICO is of vital importance. Failure to do so can result in a significant penalty to the business, namely a fine of up to 10m Euros or 2% of the business’ global turnover.
The business should undertake a root-and-branch review of its processes and procedures to locate the cause and reasons behind why the data breach occurred and how it came to happen. The business will need to be able to locate this point of weakness and then it can work to strengthen its existing procedures or indeed implement need processes in order to enhance its protection and safekeeping of the personal data that it processes.
Typical practical steps that can be taken to prevent a recurrence of a personal data breach include:
At Verisona Law, we can assist you and your business in preparing for the GDPR and ensuring your business is compliant by:
If you would like further information, please contact Grant Usher (Associate) at email@example.com or via telephone on 023 9231 2058.
|__hssrc||session||This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.|
|cookielawinfo-checkbox-advertisement||1 year||Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .|
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|
|__cf_bm||30 minutes||This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.|
|__hssc||30 minutes||HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.|
|ss||session||This cookie is set by the provider Eventbrite. This cookie is used for the functionality of website chat-box function.|
|TawkConnectionTime||session||Tawk.to, a live chat functionality, sets this cookie. For improved service, this cookie helps remember users so that previous chats can be linked together.|
|__hstc||1 year 24 days||This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).|
|_ga||2 years||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_gat_gtag_UA_162540320_1||1 minute||Set by Google to distinguish users.|
|_gcl_au||3 months||Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|hubspotutk||1 year 24 days||This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.|
|_fbp||3 months||This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.|
|fr||3 months||Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.|
|test_cookie||15 minutes||The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.|